[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH
From:       Tim Brown <tmb () 65535 ! com>
Date:       2012-10-21 0:10:55
Message-ID: 201210210110.56641.tmb () 65535 ! com
[Download RAW message or body]


On Wednesday 17 Oct 2012 20:46:55 Michael Gilbert wrote:

> It was uploaded to and affected Debian testing and unstable.  Testing
> has not yet been officially "released", but some people use testing as
> if it were an official release.  Unstable never gets released.

FWIW, I have added a check to unix-privesc-check for privileged binaries that 
have "PATH=" embedded in them and run it over a couple of fairly vanilla 
Debian systems with KDE on it and seen a few other cases of embedded PATHs.  
This yielded a few cases where "privileged" binaries trust 
/usr/local/{bin/sbin} but nothing else untoward. trunk is currently in flux, 
but vendors may wish to incorporate it into their release testing in due 
course.

Tim
-- 
Tim Brown
<mailto:tmb@65535.com>

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]