How about it, Anthony; can we dosrcanyway w3m? I think we'll then need
to remove stalin from testing in order to get a newer libgc in (due to
#216341, although I'll try to remember to talk to a buildd admin about
that), but everything else should be OK now.
--
Colin Watson [EMAIL PROTECTED]
----- Forwarded message from Matt Zimmerman <[EMAIL PROTECTED]> -----
Date: Wed, 5 Nov 2003 11:24:24 -0500
From: Matt Zimmerman <[EMAIL PROTECTED]>
To: Colin Watson <[EMAIL PROTECTED]>
Cc: Fumitoshi UKAI <[EMAIL PROTECTED]>, [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: Bug#200028: w3m-img: w3mimgdisplay is setuid root
User-Agent: Mutt/1.3.28i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
riva.lab.dotat.at
X-Spam-Status: No, hits=-4.9 required=4.5 tests=BAYES_00 autolearn=ham
version=2.60
On Wed, Nov 05, 2003 at 09:54:52AM +0000, Colin Watson wrote:
> On Sat, Aug 30, 2003 at 02:08:36PM -0400, Matt Zimmerman wrote:
> > How about it, Bdale?
>
> Bdale, ping? We need to get a fixed w3m-img in order to be able to get a
> new libgc into testing, and we need that in order to upgrade libsigc++,
> etc. It's getting pretty urgent.
>
> (Alternatively: Matt, does this have to be serious, noting that woody's
> w3mimgdisplay is also setuid root, so it's not as if it's a regression? I
> suppose we could have britney ignore it on that basis.)
Right, this is not a regression, and there is not a proven security
vulnerability here, only an excess of privilege. I still believe this
should be dealt with before the sarge release, but it does not seem
necessary for it to block packages from entering testing.
--
- mdz
----- End forwarded message -----
