Bill Allombert wrote:
> Package: libg20-perl
> Version: 0.70-1.2
> Severity: grave
> Tags: security
>
> Hello Eric,
>
> The file /usr/lib/perl5/auto/G2/G2.so include a rpath pointing to
> /build/buildd/g2-0.70/g2_perl/.. which is not a FHS approved location.
>
> % chrpath /usr/lib/perl5/auto/G2/G2.so
> /usr/lib/perl5/auto/G2/G2.so: RPATH=/build/buildd/g2-0.70/g2_perl/..
>
> On some system, a user could have write access to /build and thus be able
> to set up a rogue library in that location that will get loaded by users
> of libg20-perl.
While this should certainly be fixed, the severity seems a bit inflated.
For stable-security we decided to only issue a DSA if the rpath is set
to a path an unprivileged user can write to (like /tmp).
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
