oss-sec mailing list archives
Re: CVE id request: busybox
From: gremlin () gremlin ru
Date: Sun, 3 Mar 2013 12:27:03 +0400
On 02-Mar-2013 21:43:53 -0700, Kurt Seifried wrote:
Hi, busyboxy is creating parts of the directory tree with incorrect permissions when creating device nodes in nested directories: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701965
Just a quick note: find / -perm +0002 should show a very minimal list (/tmp, /var/tmp, some spool dirs, and symbolic links),
`find -L / -perm /0002` will perform better, following the symlinks.
please run this on your packages/systems to ensure nothing silly is going out the door.
For that, I'd recommend checking for "-perm /0022": group-writable directories (primarily) and files are about to cause trouble as well.
It's 2013, I shouldn't be assigning CVEs for this problem still :P.
That's Debian, they are still in the past century... :-) -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8
Current thread:
- CVE id request: busybox Nico Golde (Mar 01)
- Re: CVE id request: busybox Kurt Seifried (Mar 02)
- Re: CVE id request: busybox gremlin (Mar 03)
- Re: CVE id request: busybox Michael Tokarev (Mar 03)
- Re: CVE id request: busybox Piotr Karbowski (Mar 03)
- Re: CVE id request: busybox Michael Tokarev (Mar 03)
- Re: CVE id request: busybox Kurt Seifried (Mar 03)
- Re: CVE id request: busybox Michael Gilbert (Mar 03)
- Re: CVE id request: busybox Kurt Seifried (Mar 03)
- Re: CVE id request: busybox Thomas Biege (Mar 05)
- Re: CVE id request: busybox Thomas Biege (Mar 05)
- Re: CVE id request: busybox Raphael Geissert (Mar 05)
- Re: CVE id request: busybox Kurt Seifried (Mar 05)
- Re: CVE id request: busybox gremlin (Mar 03)
- Re: CVE id request: busybox Kurt Seifried (Mar 02)