Your message dated Sat, 6 Apr 2019 06:43:20 +0200
with message-id <34c069a3-16a1-ecf3-4f6c-1ab04be80...@debian.org>
and subject line apport was removed from Debian
has caused the Debian Bug report #924693,
regarding apport: /var/crash/.lock is world-writable
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
924693: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924693
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apport
Version: 2.20.4-5
Tags: security
Apport creates /var/crash/.lock as readable and writable for anyone:
# ls -l /var/crash/.lock
-rwxrwxrwx 1 root root 0 Mar 15 22:30 /var/crash/.lock
This allows malicious local users to do bad things:
* They could fill up the disk, bypassing quotas.
* They could acquire lock on the file and never release it, effectively
disabling core dumping for everyone.
* They could use the file as an aid in exploitation other
vulnerabilities, such as this:
http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/
Please make the lock file accessible only to root.
--
Jakub Wilk
--- End Message ---
--- Begin Message ---
Version: 2.20.4-5+rm
apport has been removed from Debian/experimental, it was never part of
unstable. See https://bugs.debian.org/924960 for details on the removal.
I'm therefore closing the remaining bugs.
Andreas
--- End Message ---
