Hi, On moandei 23 Febrewaris 2009, Gerrit Pape wrote: > tags 516669 + patch > quit > > On Mon, Feb 23, 2009 at 12:43:39AM +0100, Peter Palfrader wrote: > > Files in /usr/share/git-core are not owned by root on lenny/alpha. > > Thanks for catching this. Here's a patch for stable, unstable already > contains the fix, although there seems to be another similar permissions > problem I'm investigating right now. > > The bug only has an impact if the package is build with -rsudo, the > files are properly owned by root with -rfakeroot. The alpha, mips, and > mipsel autobuilders seem to use -rsudo. > > t...@security, if there's anything more I can do, such as providing a > signed package for stable, please let me know.
Thanks Peter for the report and Gerrit for the quick patch.
As I understand it, these files are not usually executed directly, but do
serve as templates for scripts that are executed, so someone could edit their
content and hope that an administrator copies the script without noticing the
change. That seems reason enough for me for a stable security update.
We need a sourceful update to prevent the problem from reappearing if someone
rebuilds the package themselves or a subsequent security upload is made. Your
patch seems fine. The issue also affects oldstable.
Gerrit, it would be great if you could provide updated packages for
stable-security and oldstable-security. Please upload them to
security-master, and make sure you build with full source ("-sa") at least
for the stable-security one.
thanks,
Thijs
signature.asc
Description: This is a digitally signed message part.
