oss-sec mailing list archives

Re: CVE id request: busybox

From: gremlin () gremlin ru
Date: Sun, 3 Mar 2013 12:27:03 +0400

On 02-Mar-2013 21:43:53 -0700, Kurt Seifried wrote:

Hi, busyboxy is creating parts of the directory tree with
incorrect permissions when creating device nodes in nested
directories:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701965

Just a quick note:
find / -perm +0002
should show a very minimal list (/tmp, /var/tmp, some spool dirs,
and symbolic links),


`find -L / -perm /0002` will perform better, following the symlinks.

please run this on your packages/systems to ensure nothing silly
is going out the door.


For that, I'd recommend checking for "-perm /0022": group-writable
directories (primarily) and files are about to cause trouble as well.

It's 2013, I shouldn't be assigning CVEs for this problem still :P.


That's Debian, they are still in the past century... :-)


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net
GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8

Current thread:

CVE id request: busybox Nico Golde (Mar 01)
- Re: CVE id request: busybox Kurt Seifried (Mar 02)
  - Re: CVE id request: busybox gremlin (Mar 03)
    - Re: CVE id request: busybox Michael Tokarev (Mar 03)
    - Re: CVE id request: busybox Piotr Karbowski (Mar 03)
    - Re: CVE id request: busybox Michael Tokarev (Mar 03)
    - Re: CVE id request: busybox Kurt Seifried (Mar 03)
    - Re: CVE id request: busybox Michael Gilbert (Mar 03)
    - Re: CVE id request: busybox Kurt Seifried (Mar 03)
    - Re: CVE id request: busybox Thomas Biege (Mar 05)
    - Re: CVE id request: busybox Thomas Biege (Mar 05)
    - Re: CVE id request: busybox Raphael Geissert (Mar 05)
    - Re: CVE id request: busybox Kurt Seifried (Mar 05)

(Thread continues...)