On Tue, Nov 28, 2006 at 11:03:35PM +0100, Moritz Muehlenhoff wrote: > Steve Langasek wrote: > > > I've seen a couple of RC bugs being filed for rpath issues in various > > > packages. For stable-security these are only treated as DSA-worthy > > > if the rpath points to /tmp, but not towards a directory like /build > > > or a specific home directory, as exploiting these would require social > > > engineering against root. While they should of course be fixed where > > > possible I'd recommend against treating them as release critical per > > > se. (At least not in the sense they they're a reason for removing a > > > package from testing).
> > In the case of an rpath pointing to a "specific home directory", I disagree > > that any social engineering is required in order to exploit it. > > Particularly at larger installations, there's a pretty good chance of some > > of these usernames colliding with pre-existing user accounts. Do you think > > this is enough reason to consider such bugs RC? > IMO this is a corner-case. Although the real-world implications are probably > negligable we could as well treat is as RC. FWIW, this is still my preference, just as it is my preference to treat "corner-case" data loss bugs as RC: the impact of such bugs on people who actually run *into* them is not mitigated by knowing that most other people *didn't* have their root account compromised / their partition trashed / their thesis chewed up and turned into line noise :) -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
