oss-sec mailing list archives
Re: CVE request: Debian's package "mysql-server" leaks credential information
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Sat, 08 Jun 2013 13:28:28 -0400
On 06/08/2013 07:00 AM, gremlin () gremlin ru wrote:
That's not a security issue, but a misconfiguration
I consider this a security bug in the debian package's maintainer scripts: it is a race condition that leaks confidential information to a user who "wins" the race. It is *not* a misconfiguration; it is a bug with security implications.
(alas, very common for Deb*an packages)
If you know of more bugs like this, please report them with an e-mail to submit () bugs debian org with the first line "Package: FOO" (where "FOO" is replaced by the name of the buggy package). Thanks!
so at least I doubt that deserves a CVE.
I respectfully disagree; if an upstream package leaks confidential information to an adversary who "wins" a race, that is a bug which deserves a CVE. Debian packaging bugs should be held to the same standard. Regards, --dkg (i am a member of the debian project)
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request: Debian's package "mysql-server" leaks credential information vladz (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information larry Cashdollar (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information larry Cashdollar (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information larry Cashdollar (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information larry Cashdollar (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 08)
- Re: CVE request: Debian's package "mysql-server" leaks credential information Kurt Seifried (Jun 08)
- RE: CVE request: Debian's package "mysql-server" leaks credential information Christey, Steven M. (Jun 09)
- Re: CVE request: Debian's package "mysql-server" leaks credential information gremlin (Jun 10)
- Re: CVE request: Debian's package "mysql-server" leaks credential information Florian Weimer (Jun 10)
- Re: CVE request: Debian's package "mysql-server" leaks credential information Henri Salo (Jun 10)