Hi Bill, Thanks for your quick answer.
My bug entry was just to inform you =) Regards, Wil ________________________________________ From: Bill Allombert [ballo...@debian.org] Sent: Friday, November 29, 2019 4:47 PM To: PASCAULT Wilfried OBS/OCD; 945...@bugs.debian.org Subject: Re: Bug#945839: arbitrary file write vulnerability in pari/gpo On Fri, Nov 29, 2019 at 03:16:37PM +0000, wilfried.pasca...@orange.com wrote: > Package: pari > Version: 2.11.1-2 > > Georgi Guninski disclosed on Nov 26 a vulnerability on Full Disclosure [1]. > > He's saying that pari/gp packages are vulnerable to an arbitrary code > execution ; and mainstream package versions are vulnerable on Stretch > and Buster. Hello Wilfried, Georgi Guninski is mistaken. gp is a language interpretor like bash, perl and python. They all allow arbitrary code execution. The ability to write files and run arbitrary code is a feature and not a bug. GP is not documented as providing an environment with security properties, so there cannot be a vulnerability. Cheers, -- Bill. <ballo...@debian.org> Imagine a large red swirl here. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
