Am 08.05.2011 23:58, schrieb Vincent Zweije:
On Sun, May 08, 2011 at 11:51:40PM +0200, Vincent Zweije wrote:|| Looking at /etc/ati/authatieventsd.sh, this piece of code is wrong: ||> revoke) ||> if [ `pinky -fs | awk '{ if ($3 == "'$2'" || $(NF) == "'$2'" ) { print $1; exit; } }'` ]; then ||> user=`pinky -fs | awk '{ if ($3 == "'$2'" || $(NF) == "'$2'" ) { print $1; exit; } }'` ||> su $user -c "xauth -f $3 remove $2" || exit -1 ||> else ||> xauth -f $3 remove $2 || exit -1 || || And strictly speaking, the same twice here, but the secret is being || removed so exploiting its knowledge would be very hard though not || theoretically impossible. Anyway, if your fixing the grant case, do the || revoke case at the same time so they use the same method. It's just good || software engineering. I think I had my eyes crossed here. No secret cookie is being mentioned, only the display name which is not secret.
Do you want to say, that the security part of this bug could be closed? Sorry yes I mean 11-4, not 10-4 :) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
