severity 415535 important thanks On Tue, Mar 20, 2007 at 12:45:33AM +0000, Justin B Rye wrote: > Package: atris > Version: 1.0.7.dfsg.1-3 > Severity: serious
> [EMAIL PROTECTED]:~$ ls -l .atrisrc > -rw-rw-rw- 1 jbr games 518 2007-03-18 12:48 .atrisrc > This is a security issue, although not of the system-hijacking > variety: a world-writable file lets any local process perform a > Denial of Service by filling the partition. This on its own might > not rate a DSA, but bearing in mind that atris itself can function > as a network client/server (exposed to whatever exploits a bad loser > in a foreign country/OS might devise) I think it needs to count as > an RC bug. Since you don't seem to be arguing that there's an exploitable hole here as a result of the application not properly handling a garbage .atrisrc file, I don't think this warrants an RC severity. If you aren't using quotas, you /already/ have the possibility for any local process to fill a partition; if you are using quotas, the user can un-stick his own disk fillage by deleting any broken .atrisrc file and recreating it with the right permissions. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
