Hi Balint
It was the default shell that made the difference. Thanks again for this
suggestion. I can reproduce the problem now. Very good.
An interesting note is that it is only possible to escalate the privilege
to root. If I change the owner of the file to www-data (and the setuid to
33) the id
On Fri, Oct 07, 2016 at 01:09:29PM +0200, Hugo Lefeuvre wrote:
> Hi,
>
> > I'll prepare a patch adding the usb_xhci_exit function and will
> > perform some more tests.
>
> Well, here is what I got after taking some hours to try to produce a
> patch for CVE-2016-7466[0]:
>
> * It is not possible
wf...@niif.hu (Ferenc Wágner) writes:
> Thorsten Alteholz writes:
>
>> the Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of pacemaker:
>> https://security-tracker.debian.org/tracker/CVE-2016-7797
>
> I don't see how this affects 1.1.7 (the
On Fri, 2016-10-07 at 17:52 +1100, Brian May wrote:
> > Ben Hutchings writes:
>
> > > It looks like this patch does three things
> > >
> > > * It removes "assert(n > 0)".
> > >
> > > * It removes the now unused n parameter from the
> > > manager_invoke_notify_message() function.
> > >
> > >
On Fri, 07 Oct 2016, Adrian Bunk wrote:
> > So while it has been used it's not the only one in use in the context
> > of the security team.
>
> It is a different version numbering than the MySQL 5.5 case because it
> is a different situation.
>
> This OpenJDK DSA is not a packaging of a new vers
Hi,
> I'll prepare a patch adding the usb_xhci_exit function and will
> perform some more tests.
Well, here is what I got after taking some hours to try to produce a
patch for CVE-2016-7466[0]:
* It is not possible to introduce the usb_xhci_exit function in qemu v1.1.2
as it has been done in
On Fri, Oct 07, 2016 at 09:11:15AM +0200, Raphael Hertzog wrote:
> Hi,
>
> On Thu, 06 Oct 2016, Adrian Bunk wrote:
> > On Thu, Oct 06, 2016 at 06:16:37PM +0200, Raphael Hertzog wrote:
> > > On Thu, 06 Oct 2016, Adrian Bunk wrote:
> > >...
> > > > Do you have any rationale why you think -1~deb7u1 w
Hi Raphael,
On Fri, Oct 07, 2016 at 09:11:15AM +0200, Raphael Hertzog wrote:
> Hi,
>
> On Thu, 06 Oct 2016, Adrian Bunk wrote:
> > On Thu, Oct 06, 2016 at 06:16:37PM +0200, Raphael Hertzog wrote:
> > > On Thu, 06 Oct 2016, Adrian Bunk wrote:
> > >...
> > > > Do you have any rationale why you thin
Hi,
2016-10-07 8:10 GMT+02:00 Ola Lundqvist :
> Hi Balint
>
> Ah, it could be the default shell. I'll try that. Thanks for the suggestion.
>
> Merely that the command id is executed is not a reproduction. It has to be
> executed as another user than the one one executing the binary to be a
> secur
Hi,
On Thu, 06 Oct 2016, Adrian Bunk wrote:
> On Thu, Oct 06, 2016 at 06:16:37PM +0200, Raphael Hertzog wrote:
> > On Thu, 06 Oct 2016, Adrian Bunk wrote:
> >...
> > > Do you have any rationale why you think -1~deb7u1 would be better
> > > than -0+deb7u1?
> >
> > My preference goes for the former
Ben Hutchings writes:
>> It looks like this patch does three things
>>
>> * It removes "assert(n > 0)".
>>
>> * It removes the now unused n parameter from the
>> manager_invoke_notify_message() function.
>>
>> * It removes the return(0) if n==0. This looks like the only relevant part.
>>
>>
11 matches
Mail list logo
