oss-security - Re: Re: two systemtap flaws: CVE-2011-2502 and CVE-2011-2503

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <mpro.lp1gob3w5e11102h5.taviso@cmpxchg8b.com>
Date: Thu, 28 Jul 2011 12:19:23 +0200
From: Tavis Ormandy <taviso@...xchg8b.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: two systemtap flaws: CVE-2011-2502 and CVE-2011-2503

Huzaifa Sidhpurwala <huzaifas@...hat.com>
wrote:

> On 07/28/2011 03:34 PM, Tavis Ormandy wrote:
> 
> > Interesting, I also looked at systemtap and found a local root
> > (CVE-2010-4170), but was under the impression we had agreed it should be
> > restricted to a privileged group?
> > 
> > https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/systemtap-2010-11-18
> > 
> > I stopped looking because I concluded that had eliminated any security
> > risk, is that no longer the case?
> > 
> I believe this does reduce the risk, but does not totally eliminate it.
> 
> 

Oh I see, the group restriction is still in place, but you still support
adding unprivileged users to the group?

Understood, I think that sounds reasonable.

Tavis.


-- 
-------------------------------------
taviso@...xchg8b.com | pgp encrypted mail preferred
-------------------------------------------------------

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.