Various Cc's dropped, [EMAIL PROTECTED] added. bod: we're talking about the grave perl bug, ie the patch for improving the security model.
On Thu, Nov 13, 2003 at 03:28:35PM -0500, Matt Zimmerman wrote: > On Thu, Nov 13, 2003 at 02:22:43PM -0600, Steve Langasek wrote: > > On Thu, Nov 13, 2003 at 09:13:37PM +0100, Adrian Bunk wrote: > > > But that's the decision of the perl maintainer and the security team. > > I think it's silly to claim that a flaw that's been well-known for ages > > constitutes an RC bug that should be allowed to hold up the progress of > > the release. If this was really RC, it should have shown up long ago > > and resulted in immediate removal of perl-suid. > There was already one patch which improved the situation with suidperl. > What is the status of the package in testing? Does it have that preliminary > fix, or is it equivalent to the woody version? Some previous patches appear to have been applied to 5.8.0-20 and later, but -18 is what's in testing. AFAICS, the patch is about preventing some information leaks (as an unprivleged user, you can use suidperl to find some information about files you don't otherwise have access to - mainly whether they exist, and if they're setuid). While that's a good thing to fix, it doesn't really seem to "allow access to the accounts of users who use the package", and I don't think it's entirely reasonable to classify this level of information leakage as a critical security hole. (If it is, a DSA needs to be prepared for stable, presumably) Cheers, aj -- Anthony Towns <[EMAIL PROTECTED]> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG signed mail preferred. Australian DMCA (the Digital Agenda Amendments) Under Review! -- http://azure.humbug.org.au/~aj/blog/copyright/digitalagenda
pgpKqzuqOjZkC.pgp
Description: PGP signature
