Hi Moritz, On Thu, Nov 23, 2006 at 12:29:08AM +0100, Moritz Muehlenhoff wrote: > I've seen a couple of RC bugs being filed for rpath issues in various > packages. For stable-security these are only treated as DSA-worthy > if the rpath points to /tmp, but not towards a directory like /build > or a specific home directory, as exploiting these would require social > engineering against root. While they should of course be fixed where > possible I'd recommend against treating them as release critical per > se. (At least not in the sense they they're a reason for removing a > package from testing).
In the case of an rpath pointing to a "specific home directory", I disagree that any social engineering is required in order to exploit it. Particularly at larger installations, there's a pretty good chance of some of these usernames colliding with pre-existing user accounts. Do you think this is enough reason to consider such bugs RC? Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
