My kneejerk reaction is that it's not worth making this change. The
attack in question will work against almost any program that is
operated in an insecure directory, including the chmod program
itself. It'd be a real pain to work around this problem in all
applications, one at a time, and it's
Paul Eggert [EMAIL PROTECTED] wrote:
My kneejerk reaction is that it's not worth making this change. The
attack in question will work against almost any program that is
operated in an insecure directory, including the chmod program
itself. It'd be a real pain to work around this problem in
Joey Hess [EMAIL PROTECTED] wrote:
Package: coreutils
Version: 5.2.1-2
Severity: important
Tags: security
Our coreutils seems to be vulnerable to the problem described in
CAN-2005-1039.
http://www.securityfocus.com/archive/1/395489
A quick strace of mkdir -m 400 foo shows the problem: