Control: severity -1 normal
Control: found -1 8.0.14-1
On Sat, Oct 15, 2016 at 07:25:59AM +1100, paul.sz...@sydney.edu.au wrote:
> Dear Salvatore,
> > You are operating here outside of /tmp (sticky world-writable
> > directory) which the above issue for the init scripts relies on,
> > right? fs.protected_(hardlinks|symlinks) is exactly a hardening for
> > those issues:
> > https://www.kernel.org/doc/Documentation/sysctl/fs.txt
> I see: the kernel now treats things in /tmp (with sticky bit
> permissions) differently from other places (without "weird"
> permissions). Thanks for pointing this out for me!
> (I never noticed this change...)
> Then I agree that this issue is not exploitable in default Debian,
> no need for DSA. (Sorry about the noise.)
Welcome and thanks for confirming, and no problem (glad we could
elaborate together on the issue the impact).
I'm lowering the severity, and as well mark as found version for the
8.0.14-1 including up to unstable version.