Control: tags -1 + upstream fixed-upstream Control: forwarded -1 https://github.com/karelzak/util-linux/commit/687cc5d58942b24a9f4013c68876d8cbea907ab1
Hello Federico Bento! Thanks for your detailed bug report. On Mon, May 25, 2015 at 07:51:11PM +0200, up201407...@alunos.dcc.fc.up.pt wrote: > Package: util-linux > Version: 2.26.2 > > Actually, all versions of util-linux are affected. Given that you didn't specify a valid debian revision in the Version tag the bug tracking system is tracking it as affecting all versions. :) [...] > During a recent assessment I have stumbled across a system which had > hwclock(8) setuid root [...] To clarify for the records, hwclock is *not* shipped suid in Debian so this does not affect normal installs. Only if the admin manually modified the system (based on incorrect information in the manpage). [...] > Exploiting is trivial, since $PATH is user-controlled [...] I've mentioned your bug report to upstream which quickly followed up with the following commit: https://github.com/karelzak/util-linux/commit/687cc5d58942b24a9f4013c68876d8cbea907ab1 This will be part of future upstream v2.27 release (atleast). This should hopefully address your concerns. Please followup if you spot any additional problems with the new upstream code and manpage instructions. For more direct interaction and less roundtrips feel free to contact upstream util-linux mailing list on vger.kernel.org directly. Thanks again for your detailed bug report. Regards, Andreas Henriksson -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
