Re: RfD: Preparing Debian 2.1r3

To: Martin Schulze <joey@infodrom.north.de>
Cc: Debian Development <debian-devel@lists.debian.org>
Subject: Re: RfD: Preparing Debian 2.1r3
From: Joey Hess <joey@kitenet.net>
Date: Thu, 19 Aug 1999 14:49:03 -0700
Message-id: <[🔎] 19990819144903.V32333@kitenet.net>
Mail-followup-to: Martin Schulze <joey@infodrom.north.de>, Debian Development <debian-devel@lists.debian.org>
In-reply-to: <[🔎] 19990819225038.Q28824@finlandia.infodrom.north.de>; from Martin Schulze on Thu, Aug 19, 1999 at 10:50:38PM +0200
References: <[🔎] 19990819225038.Q28824@finlandia.infodrom.north.de>

Martin Schulze wrote:
>   package: bsdgames-nonfree
>   version: 2.5-2
>     minor bugfix, doesn't fit update criteria

It's actually a very very minor security fix. If you:

* have basdgames-nonfree installed, but have set rogue non-sgid games and
* upgrade to a newer version

Then it would be sgid games for a minute in the window after the install and
before the postinst changes it back to the permissions you set, and if there
is a problem with it being sgid games, an attacker could exploit that in the
window.

Anyway, all packages in stable that use suidregister have this problem, and
I wouldn't lose much sleep over it.

-- 
see shy jo

Reply to:

References:
- RfD: Preparing Debian 2.1r3
  - From: Martin Schulze <joey@finlandia.Infodrom.North.DE>

Prev by Date: Re: RfD: Preparing Debian 2.1r3
Next by Date: Re: RfD: Preparing Debian 2.1r3
Previous by thread: Re: RfD: Preparing Debian 2.1r3
Next by thread: Re: RfD: Preparing Debian 2.1r3
Index(es):
- Date
- Thread