[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH
From: Tim Brown <tmb () 65535 ! com>
Date: 2012-10-21 0:10:55
Message-ID: 201210210110.56641.tmb () 65535 ! com
[Download RAW message or body]
On Wednesday 17 Oct 2012 20:46:55 Michael Gilbert wrote:
> It was uploaded to and affected Debian testing and unstable. Testing
> has not yet been officially "released", but some people use testing as
> if it were an official release. Unstable never gets released.
FWIW, I have added a check to unix-privesc-check for privileged binaries that
have "PATH=" embedded in them and run it over a couple of fairly vanilla
Debian systems with KDE on it and seen a few other cases of embedded PATHs.
This yielded a few cases where "privileged" binaries trust
/usr/local/{bin/sbin} but nothing else untoward. trunk is currently in flux,
but vendors may wish to incorporate it into their release testing in due
course.
Tim
--
Tim Brown
<mailto:tmb@65535.com>
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic