Hi, * Adam D. Barratt <[EMAIL PROTECTED]> [2008-12-08 09:09]: > On Mon, 2008-12-08 at 01:31 +0100, Cyril Brulebois wrote: > [...] > > Since the filename is predictable, I guess debsign is vulnerable to symlink > > attacks and the like (although I'm no security crack, etc., sorry if I'm > > overthinking the consequences of this bug). > > I'm not 100% sure myself, to be honest. Security team?
No this is correct, devscripts is vulnerable to a symlink attack before the fix (for example signfile()). Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpcaVdXywTA0.pgp
Description: PGP signature
