Processed: Re: Bug#882258: busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters
Processing commands for cont...@bugs.debian.org: > found 882258 1:1.20.0-7 Bug #882258 [src:busybox] busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters Marked as found in versions busybox/1:1.20.0-7. > found 882258 1:1.22.0-9+deb8u1 Bug #882258 [src:busybox] busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters Marked as found in versions busybox/1:1.22.0-9+deb8u1. > found 882258 1:1.22.0-19 Bug #882258 [src:busybox] busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters Marked as found in versions busybox/1:1.22.0-19. > found 882258 1:1.27.2-1 Bug #882258 [src:busybox] busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters Ignoring request to alter found versions of bug #882258 to the same values previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 882258: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882258 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#882258: busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters
found 882258 1:1.20.0-7 found 882258 1:1.22.0-9+deb8u1 found 882258 1:1.22.0-19 found 882258 1:1.27.2-1 thanks Salvatore Bonaccorso wrote... > Please adjust the affected versions in the BTS as needed, only > unstable checked so far. Can help with that: All versions back to and including wheezy are affected. Luckily the fix applies sanely everywhere, updated packages will follow ASAP. Christoph signature.asc Description: Digital signature
Processed: severity of 882258 is important, tagging 882258
Processing commands for cont...@bugs.debian.org: > severity 882258 important Bug #882258 [src:busybox] busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters Severity set to 'important' from 'grave' > tags 882258 + upstream fixed-upstream Bug #882258 [src:busybox] busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters Added tag(s) upstream and fixed-upstream. > thanks Stopping processing here. Please contact me if you need assistance. -- 882258: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882258 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#882258: busybox: CVE-2017-16544: lineedit: do not tab-complete any strings which have control characters
Source: busybox Version: 1:1.27.2-1 Severity: grave Tags: security Hi, the following vulnerability was published for busybox. I realize you know of the issue already but just filling to have a tracking bug as well in the BTS. CVE-2017-16544[0]: | In the add_match function in libbb/lineedit.c in BusyBox through | 1.27.2, the tab autocomplete feature of the shell, used to get a list | of filenames in a directory, does not sanitize filenames and results in | executing any escape sequence in the terminal. This could potentially | result in code execution, arbitrary file writes, or other attacks. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-16544 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16544 [1] https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8 Please adjust the affected versions in the BTS as needed, only unstable checked so far. Regards, Salvatore
Re: Easier installer?
> On Mon, 20 Nov 2017 10:30:06 -0500, lsore...@csclub.uwaterloo.ca (Lennart > Sorensen) said: > On Sun, Nov 19, 2017 at 12:26:58PM +0100, Thomas Lange wrote: >> > On Sun, 19 Nov 2017 11:56:35 +0100, Thomas Langesaid: >> >> > JFTR, I just look at an openSuse Tumbleweed installation. They are >> > using a world map for selecting the timezone. >> And Linux Mint is showing a world map with timezones, but no country borders. > Do they have a zoom? Otherwise some timezones would be very very hard > to select. Have a look at https://www.rootusers.com/install-linux-mint/ Linux Mint does not have a zoom, but you can enter a city on the bottom. opensuse has a zoom function in the map. Screenshots: https://www.unixmen.com/opensuse-tumbleweed-last-kde-plasma/ -- regards Thomas
Re: Easier installer?
Lennart Sorensen, on lun. 20 nov. 2017 10:24:35 -0500, wrote: > On Sat, Nov 18, 2017 at 09:20:36PM +, Ben Hutchings wrote: > > Implementing locale selection using a map also runs the risk of getting > > your software banned in countries that disagree with where you put the > > borders. > > Also tricky in the non-gui installer, which at least some systems have > to use (serial or ssh install on systems without graphics). > > Sure those systems are probably not as likely to be the typical simple > user cases. Yes, I believe we don't need to support beginner users there :) Samuel
Re: Easier installer?
On Sun, Nov 19, 2017 at 12:26:58PM +0100, Thomas Lange wrote: > > On Sun, 19 Nov 2017 11:56:35 +0100, Thomas Lange > >said: > > > JFTR, I just look at an openSuse Tumbleweed installation. They are > > using a world map for selecting the timezone. > And Linux Mint is showing a world map with timezones, but no country borders. Do they have a zoom? Otherwise some timezones would be very very hard to select. -- Len Sorensen
Re: Easier installer?
On Sat, Nov 18, 2017 at 09:20:36PM +, Ben Hutchings wrote: > Implementing locale selection using a map also runs the risk of getting > your software banned in countries that disagree with where you put the > borders. Also tricky in the non-gui installer, which at least some systems have to use (serial or ssh install on systems without graphics). Sure those systems are probably not as likely to be the typical simple user cases. -- Len Sorensen
Re: Easier installer?
On Sat, 18 Nov 2017, "Jonathan Carter (highvoltage)"wrote: > Hi Samuel > > On 18/11/2017 02:15, Samuel Thibault wrote: >> Put another way: I *don't* think we want to change this set of >> questions, we'd just lose users. Thus the other proposal, proposed right >> from the start of the thread: have *another* panel of questions really >> meant for beginner, and that advanced users can easily skip, for the 90% >> cases that often match beginners cases. > > +1, because the choice of questions is just one part of the problem. The > other is that d-i asks some questions, does some work, and then asks > some more questions. For a simple mode for the 90% of users out there, > it could ask all the simple questions up front and then continue with > the work. Right? The later questions are mostly conditional on the state of the installer at the time they are asked, so one cannot do a simple-minded automatic reordering. Some of them are really about the state of the archive (e.g. the tasksel menu) which could be pre-processed and then asked early (if we don't mind losing the option of updating the tasks after the media are built). Others are things where we could just decide to ask early in a handcrafted ask-early.udeb that then preseeds the later questions to avoid them being asked mid-install. Working out how to ask about partitioning before one knows what disks are available is not going to be fixed by either approach though. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg,GERMANY signature.asc Description: PGP signature
getting on the boot list
how do I subscribe to this list?