[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-ports
Subject:    Re: tcl/tk local root possible
From:       naddy () mips ! inka ! de (Christian Weisgerber)
Date:       2002-09-26 16:06:40
[Download RAW message or body]

Jose Nazario <jose@monkey.org> wrote:

> a few linux distros have released updated packages of tcl/tk. the problem
> is that the publicly writable /var/tmp is searched before the system
> libraries are searched, possibly subverting library calls. the "local
> root" comes from trojanning tcl/tk apps used in system administration.
> 
> 	http://lwn.net/Alerts/10713/
> 	http://lwn.net/Alerts/7561/
> 	http://lwn.net/Alerts/7447/

I have a hard time making sense of this.  I think I have located
some of the corresponding patches in the Mandrake CVS, but I'm not
clear about the problem.  I suspect their build ended up with
artifacts of the fake root (which is typically placed under /var/tmp
for RPM) in the package.

I just ktrace'd our expect and wish8.3 on start-up and there are
no namei() traversals with problematic paths.

-- 
Christian "naddy" Weisgerber                          naddy@mips.inka.de

[prev in list] [next in list] [prev in thread] [next in thread]