Nico Golde wrote, Mon, 8 Dec 2008 11:25:36 +0100:
[...]
Nico Golde wrote, Monday, December 08, 2008 8:36 AM:
[...]
>No this is correct, devscripts is vulnerable to
>a symlink attack before the fix (for example signfile()).
[...]
Just had a look again at this issue. It should be no
real proble
Hi,
* Adam D. Barratt <[EMAIL PROTECTED]> [2008-12-08 11:03]:
> Nico Golde wrote, Monday, December 08, 2008 8:36 AM:
> >* Adam D. Barratt <[EMAIL PROTECTED]> [2008-12-08 09:09]:
> >> On Mon, 2008-12-08 at 01:31 +0100, Cyril Brulebois wrote:
> >> [...]
> >> > Since the filename is predictable, I gue
Hi,
Nico Golde wrote, Monday, December 08, 2008 8:36 AM:
* Adam D. Barratt <[EMAIL PROTECTED]> [2008-12-08 09:09]:
> On Mon, 2008-12-08 at 01:31 +0100, Cyril Brulebois wrote:
> [...]
> > Since the filename is predictable, I guess debsign is vulnerable to
> > symlink
> > attacks and the like (al
Hi,
* Adam D. Barratt <[EMAIL PROTECTED]> [2008-12-08 09:09]:
> On Mon, 2008-12-08 at 01:31 +0100, Cyril Brulebois wrote:
> [...]
> > Since the filename is predictable, I guess debsign is vulnerable to symlink
> > attacks and the like (although I'm no security crack, etc., sorry if I'm
> > overthin
On Mon, 2008-12-08 at 01:31 +0100, Cyril Brulebois wrote:
> Package: devscripts
> Version: 2.10.41
> Severity: serious
> Tags: patch security
> Justification: Vulnerable to symlink attacks (unless I'm mistaken).
[...]
> but your usage of mktemp is bogus, since .$2 is appended to the X's. The
> atta
Package: devscripts
Version: 2.10.41
Severity: serious
Tags: patch security
Justification: Vulnerable to symlink attacks (unless I'm mistaken).
Hi,
mktemp(1) says it all:
,--
| The trailing ‘Xs’ are replaced with a combination of the cur‐
| rent process number and random letters. The na
6 matches
Mail list logo
