On Tue, Sep 28, 2010 at 03:41:28PM -0500, Raphael Geissert wrote: > paxtest writes to paxtest.log in $CWD, which might be abused by a local > attacker to modify arbitrary files via a symlink or similar.
This is hardly an important bug since paxtest does not write (by itself) to an insecure location. The *user* has to run paxtest while in an insecure location (/tmp/) in order for this to be exploitable. In any case, paxtest could be modified to output to $HOME/paxtest.log or make it write into a log file only if requested to (through a command line switch) and output the information to standard output otherwise. Ironically, in order to do the latter it would *then* have to make use of a temporary file. I see this more as a 'normal' bug since a user cannot use 'paxtest' unless he is in a directory he has write access to. The security team might want to comment, but I do not think this merits a DSA. Regards Javier
signature.asc
Description: Digital signature
