oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH

From: Tim Brown <tmb () 65535 com>
Date: Sun, 21 Oct 2012 01:10:55 +0100
On Wednesday 17 Oct 2012 20:46:55 Michael Gilbert wrote:


It was uploaded to and affected Debian testing and unstable.  Testing
has not yet been officially "released", but some people use testing as
if it were an official release.  Unstable never gets released.


FWIW, I have added a check to unix-privesc-check for privileged binaries that 
have "PATH=" embedded in them and run it over a couple of fairly vanilla 
Debian systems with KDE on it and seen a few other cases of embedded PATHs.  
This yielded a few cases where "privileged" binaries trust 
/usr/local/{bin/sbin} but nothing else untoward. trunk is currently in flux, 
but vendors may wish to incorporate it into their release testing in due 
course.

Tim
-- 
Tim Brown
<mailto:tmb () 65535 com>

Attachment: signature.asc
Description: This is a digitally signed message part.

Previous By Date Next
Previous By Thread Next

Current thread: