Package: slrn Version: 1.0.0~pre16-1 Severity: critical Directories /var/log/news/ and /etc/news/ have weird ownership - news:news. Some deb scripts use these directories as trusted and write to files located there, e.g. like this (from slrnpull.postinst):
echo "$RET" > /etc/news/server These directories must not be writable by non-root as it might compromise root via specially crafted symlinks/hardlinks/etc. created by user or group "news". As these directories are not owned by a single package, but are created by each package, all packages owning files in these directories might be vulnerable: $ apt-file search /etc/news/ | cut -d: -f1 | uniq ifgate inn inn2 inn2-inews innfeed leafnode slrn slrnpull uucpsend If I should report this bug another way as it affects multiple packages, please tell me how I should do it. Reference: https://bugs.launchpad.net/ubuntu/+source/slrn/+bug/731547 Thanks, -- Vasiliy Kulikov http://www.openwall.com - bringing security into open computing environments -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
