Package: leksbot Version: 1.2-3 Severity: critical Tags: security Justification: root security hole
hi, I just found this package while searching for setuid-root binarys: -rwsr-xr-x 1 root root 4060 Aug 29 21:29 /usr/bin/KATAXWR compiling the packages from sources resulsts in this: gcc kataxwr.c -O2 -o KATAXWR /tmp/cc870UKD.o: In function `main': /tmp/cc870UKD.o(.text+0xd1): the `gets' function is dangerous and should not be used. need I to say more? ...... taking a look at the changelog: > leksbot (1.2-1) unstable; urgency=low [...] > * Set KATAXWR setuid so that every user can edit the lexikon Index if we want all users to be able to write to this index, better make that file world-writeable. -- System Information Debian Release: testing/unstable Architecture: i386 Kernel: Linux sushi 2.4.5 #1 SMP Sat Jun 9 23:32:52 CEST 2001 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages leksbot depends on: ii libc6 2.2.4-1 GNU C Library: Shared libraries an
