oss-sec mailing list archives
Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH
From: Tim Brown <tmb () 65535 com>
Date: Sun, 21 Oct 2012 01:10:55 +0100
On Wednesday 17 Oct 2012 20:46:55 Michael Gilbert wrote:
It was uploaded to and affected Debian testing and unstable. Testing has not yet been officially "released", but some people use testing as if it were an official release. Unstable never gets released.
FWIW, I have added a check to unix-privesc-check for privileged binaries that have "PATH=" embedded in them and run it over a couple of fairly vanilla Debian systems with KDE on it and seen a few other cases of embedded PATHs. This yielded a few cases where "privileged" binaries trust /usr/local/{bin/sbin} but nothing else untoward. trunk is currently in flux, but vendors may wish to incorporate it into their release testing in due course. Tim -- Tim Brown <mailto:tmb () 65535 com>
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH, (continued)
- Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Kurt Seifried (Oct 17)
- Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Michael Gilbert (Oct 17)
- Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Kurt Seifried (Oct 17)
- Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Michael Gilbert (Oct 17)
- Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Kurt Seifried (Oct 17)
- Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Michael Gilbert (Oct 18)
- Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Kurt Seifried (Oct 18)
- Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Michael Gilbert (Oct 18)
- Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Henri Salo (Oct 18)
- Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Moritz Muehlenhoff (Oct 18)
- Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Michael Gilbert (Oct 17)
- Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Kurt Seifried (Oct 17)
- Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Tim Brown (Oct 20)