Package: sed Version: 4.1.2-8 Severity: grave Tags: security Justification: user security hole
When doing in-place editing, sed creates a new file without copying ACLs and user-defined EA. It's not only a loss of maybe precious data (user-defined EA) but a security hole, because dropping the ACLs can give back some rights on the file. For detailed information about the problem and the solution in general, see: http://www.suse.de/~agruen/ea-acl-copy/ As sed is a very common tool, the problem also is it will probably be used on files without the knowledge of the user (e.g. by the way of shell scripts). -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-k7 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages sed depends on: ii libc6 2.3.5-6 GNU C Library: Shared libraries an sed recommends no packages. -- no debconf information -- [EMAIL PROTECTED] OpenPGP 0xD9D50D8A
signature.asc
Description: Digital signature
