On Fri, Nov 14, 2003 at 02:01:15PM +1000, Anthony Towns wrote: > AFAICS, the patch is about preventing some information leaks (as an > unprivleged user, you can use suidperl to find some information about > files you don't otherwise have access to - mainly whether they exist, and > if they're setuid). While that's a good thing to fix, it doesn't really > seem to "allow access to the accounts of users who use the package", and I > don't think it's entirely reasonable to classify this level of information > leakage as a critical security hole. > > (If it is, a DSA needs to be prepared for stable, presumably)
A DSA was in preparation, and then Paul Szabo reported further problems with the fix which had been implemented. An updated patch is in the BTS now, I believe. The previous bug was #203426, and the new one is #220426 (CC'd). I don't think that anyone from Debian has claimed that this is a critical bug. It is an exposure, of course, and should be fixed. I do not think that it should prevent the current version of perl from entering testing at this time, but I do think that a fixed version of perl should replace it before release, and we also need to do a DSA. -- - mdz
