[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-ports
Subject: Re: tcl/tk local root possible
From: naddy () mips ! inka ! de (Christian Weisgerber)
Date: 2002-09-26 16:06:40
[Download RAW message or body]
Jose Nazario <jose@monkey.org> wrote:
> a few linux distros have released updated packages of tcl/tk. the problem
> is that the publicly writable /var/tmp is searched before the system
> libraries are searched, possibly subverting library calls. the "local
> root" comes from trojanning tcl/tk apps used in system administration.
>
> http://lwn.net/Alerts/10713/
> http://lwn.net/Alerts/7561/
> http://lwn.net/Alerts/7447/
I have a hard time making sense of this. I think I have located
some of the corresponding patches in the Mandrake CVS, but I'm not
clear about the problem. I suspect their build ended up with
artifacts of the fake root (which is typically placed under /var/tmp
for RPM) in the package.
I just ktrace'd our expect and wish8.3 on start-up and there are
no namei() traversals with problematic paths.
--
Christian "naddy" Weisgerber naddy@mips.inka.de
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic