On Tue, Aug 12, 2008 at 03:52:14PM -0700, John H. Robinson, IV wrote:
As mktemp and tempfile are both essential[2], they can be relied upon.
Essential in Debian, not in other systems.
Is there any scenario where using mktemp or tempfile fails, and sing
$TMPDIR succeeds?
Scripts that are
Hi *,
a little bit late, but since I am currently working in germany...
Am 2008-08-11 17:31:51, schrieb Sam Morris:
A while ago, the use of libpam-tmpdir was suggested in order to mitigate
some of these attacks. It would be nice to see it in use by default, some
day.
Obviously there
Package: lintian
Tags: patch, security
Severity: wishlist
Hello, lintan maintainers!
please, see full discussion in -devel:
http://lists.debian.org/debian-devel/2008/08/msg00271.html
for example, see the bug
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648
(if attacker
Dmitry E. Oboukhov [EMAIL PROTECTED] writes:
Package: lintian
Tags: patch, security
Severity: wishlist
Hello, lintan maintainers!
please, see full discussion in -devel:
http://lists.debian.org/debian-devel/2008/08/msg00271.html
for example, see the bug
Brian May wrote:
Ivan Jager wrote:
qemu-make-debian-root will continue running even if mkdir failed.
Dmitry said the script has -e set - if so the script will not continue
running if mkdir failed (unless it somehow overrides the -e check, e.g.
mkdir /tmp/file || true).
You must take care to
Ivan Jager wrote:
qemu-make-debian-root will continue running even if mkdir failed.
Dmitry said the script has -e set - if so the script will not continue running
if mkdir failed (unless it somehow overrides the -e check, e.g. mkdir /tmp/file
|| true).
Also, assuming qemu-make-debian-root is
Dmitry E. Oboukhov wrote:
qemu makes mount the directory /tmp/mount.$$. Attacker creates many
symlinks /tmp/dir.\d+ - /etc and if qemu
(/usr/sbin/qemu-make-debian-root) starts then /etc goes
out from root directory tree. The result: system is unusable.
I might be dense, but I don't get this.
On 18:42 Wed 13 Aug , Brian May wrote:
Dmitry E. Oboukhov wrote:
qemu makes mount the directory /tmp/mount.$$. Attacker creates many
symlinks /tmp/dir.\d+ - /etc and if qemu
(/usr/sbin/qemu-make-debian-root) starts then /etc goes
out from root directory tree. The result: system is
On Wed, 13 Aug 2008, Brian May wrote:
Dmitry E. Oboukhov wrote:
qemu makes mount the directory /tmp/mount.$$. Attacker creates many
symlinks /tmp/dir.\d+ - /etc and if qemu
(/usr/sbin/qemu-make-debian-root) starts then /etc goes
out from root directory tree. The result: system is unusable.
I
Report of sid: http://uvw.ru/report.sid.txt
--
... mpd is off
. ''`. Dmitry E. Oboukhov
: :’ : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
signature.asc
Description: Digital signature
On 13:45 Mon 11 Aug , Joey Hess wrote:
JH Dmitry E. Oboukhov wrote:
JH os-prober_1.17 os-prober
/tmp/mounted-map (pipe)
JH
/tmp/raided-map (pipe)
JH os-prober writer to
A while ago, the use of libpam-tmpdir was suggested in order to mitigate
some of these attacks. It would be nice to see it in use by default, some
day.
Obviously there will always be some programs that don't look at the
TMPDIR environment variable and directly use /tmp.
write file to
The script in attach looks through a mirror of a specified distributive
and makes a search of '\s*/tmp/' and 'tee [^|]*/tmp/' constructions.
It finds less errors then I've found earlier however the results of its
work are more accurate.
The script looks through all the files of packages marked
Dmitry E. Oboukhov wrote:
A while ago, the use of libpam-tmpdir was suggested in order to mitigate
some of these attacks. It would be nice to see it in use by default, some
day.
Obviously there will always be some programs that don't look at the
TMPDIR environment variable and directly use
EVL The idea behind libpam-tmpdir is that it creates a subdirectory of /tmp
EVL that is only accessible by that user, and then sets TMPDIR and other
EVL variables to that. Hence, it doesn't matter nearly as much if you
EVL create a non-random filename, because nobody but you can access it.
EVL
report for etch:
http://uvw.ru/report.etch.txt
107 packages :(
On 18:23 Tue 12 Aug , Dmitry E. Oboukhov wrote:
TDEO The script in attach looks through a mirror of a specified distributive
TDEO and makes a search of '\s*/tmp/' and 'tee [^|]*/tmp/' constructions.
TDEO It finds less errors
Dmitry E. Oboukhov wrote:
EVL The idea behind libpam-tmpdir is that it creates a subdirectory of /tmp
EVL that is only accessible by that user, and then sets TMPDIR and other
EVL variables to that. Hence, it doesn't matter nearly as much if you
EVL create a non-random filename, because nobody
Package: mplayer nws ppp twiki
Severity: grave
Tags: security
This message about the error concerns a few packages at once. I've
tested all the packages on my Debian mirror. (post|pre)(inst|rm) and
config scripts were tested.
In some packages I've discovered scripts with errors which may
On Mon Aug 11, 2008 at 10:57:56 +0400, Dmitry E. Oboukhov wrote:
I set Severity into grave for this bug. The tableof discovered
problems is below.
Great work.
I don't think there should be any objection to a mass-filing for
security sensitive bugs - and from the sounds of
On 10:27 Mon 11 Aug , Steve Kemp wrote:
SK On Mon Aug 11, 2008 at 10:57:56 +0400, Dmitry E. Oboukhov wrote:
SK I set Severity into grave for this bug. The table of discovered
SK problems is below.
SK Great work.
SK I don't think there should be any objection to a mass-filing for
On 10:57 Mon 11 Aug , Dmitry E. Oboukhov wrote:
DEO Package: mplayer nws ppp twiki
DEO Severity: grave
DEO Tags: security
DEO This message about the error concerns a few packages at once. I've
DEO tested all the packages on my Debian mirror. (post|pre)(inst|rm) and
DEO config scripts
On 10:57 Mon 11 Aug , Dmitry E. Oboukhov wrote:
DEO Package: mplayer nws ppp twiki
DEO Severity: grave
DEO Tags: security
DEO This message about the error concerns a few packages at once. I've
DEO tested all the packages on my Debian mirror. (post|pre)(inst|rm) and
DEO config scripts
Great work. If you have the time to see if any of these are included
in stable (etch) please could you do so?
It might be that we'd need to release a security update, or at least
a package for the next point release. (I guess severity grave and
a tag of security will ensure the same
DEO Package: mplayer nws ppp twiki
DEO Severity: grave
DEO Tags: security
DEO This message about the error concerns a few packages at once. I've
DEO tested all the packages on my Debian mirror. (post|pre)(inst|rm) and
DEO config scripts were tested.
DEO In some packages I've discovered
On Aug 11, Steve Kemp [EMAIL PROTECTED] wrote:
I don't think there should be any objection to a mass-filing for
security sensitive bugs - and from the sounds of it you'll only be
filing a few bugs, not a mass of them.
Except that one of the packages listed was obviously not vulnerable,
On 14:05 Mon 11 Aug , Steve Kemp wrote:
SK Great work. If you have the time to see if any of these are included
SK in stable (etch) please could you do so?
I checked only the packages of last version. I'll few new checks...
SK It might be that we'd need to release a security update, or at
MdI just by looking at the name.
If program A writes file FILENAME and user1 and user2 can make (write)
symlinks 'FILENAME' then name of program A is not important.
user1 creates symlink FILENAME to ~user2/.gnupg/file,
then user2 starts program A and destroy his .gnupg/file, etc
this is
On Mon, Aug 11, 2008 at 18:59:22 +0400, Dmitry E. Oboukhov wrote:
MdI just by looking at the name.
If program A writes file FILENAME and user1 and user2 can make (write)
symlinks 'FILENAME' then name of program A is not important.
If that program is in a udeb, then user1 and user2 don't
JC just by looking at the name.
JC
JC If program A writes file FILENAME and user1 and user2 can make (write)
JC symlinks 'FILENAME' then name of program A is not important.
JC
JC If that program is in a udeb, then user1 and user2 don't exist, so it's
JC not a security problem.
Yes, udeb is my
On Mon, 11 Aug 2008 10:57:56 +0400, Dmitry E. Oboukhov wrote:
Package: mplayer nws ppp twiki
Severity: grave
Tags: security
This message about the error concerns a few packages at once. I've
tested all the packages on my Debian mirror. (post|pre)(inst|rm) and
config scripts were
Dmitry E. Oboukhov wrote:
os-prober_1.17 os-prober
/tmp/mounted-map (pipe)
/tmp/raided-map (pipe)
os-prober writer to $OS_PROBER_TMP/{mounted-map.raided-map,etc}, which is
created by:
31 matches
Mail list logo