oss-sec mailing list archives
Re: [PATCH] implement privmode support in dash
From: Seth Arnold <seth.arnold () canonical com>
Date: Thu, 22 Aug 2013 22:42:15 -0700
On Thu, Aug 22, 2013 at 09:31:03PM -0600, Kurt Seifried wrote:
On 08/22/2013 11:59 AM, Tavis Ormandy wrote:Here is a related blog post on the topic http://blog.cmpxchg8b.com/2013/08/security-debianisms.html If you care about tracking vulnerabilities, the vmware issue is called CVE-2013-1662.Do we need one for Debian as well? Seems like a strong maybe.
I don't think so -- it isn't the shell at fault when a setuid program fails to manage its privileges properly. Incidentally, I'm curious to know how the vmware-mount problem was discovered. Was it discovered because dash does not have bash's mitigation in place? Or was it discovered via some other mechanism? Regardless of the answer, it is probably worth using bash's mitigation in dash, but I'm curious if we'll make discovering future bugs in setuid programs more difficult to spot by happenstance by doing so. Thanks
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Re: [PATCH] implement privmode support in dash, (continued)
- Re: [PATCH] implement privmode support in dash Tavis Ormandy (Aug 23)
- Re: [PATCH] implement privmode support in dash Ludwig Nussel (Aug 23)
- Re: [PATCH] implement privmode support in dash Harald van Dijk (Aug 22)
- Re: [PATCH] implement privmode support in dash Tavis Ormandy (Aug 22)
- Re: [PATCH] implement privmode support in dash Jilles Tjoelker (Aug 22)
- Re: [PATCH] implement privmode support in dash Tavis Ormandy (Aug 22)
- Re: [PATCH] implement privmode support in dash Jérémie Courrèges-Anglas (Aug 23)
- Re: [PATCH] implement privmode support in dash Jérémie Courrèges-Anglas (Aug 23)
- Re: [PATCH] implement privmode support in dash Roy (Aug 23)
- Re: [PATCH] implement privmode support in dash Seth Arnold (Aug 22)
- Re: [PATCH] implement privmode support in dash Michael Samuel (Aug 22)
- Re: [PATCH] implement privmode support in dash Tavis Ormandy (Aug 23)
- Re: [PATCH] implement privmode support in dash Florian Weimer (Aug 23)