Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <201210210110.56641.tmb@65535.com>
Date: Sun, 21 Oct 2012 01:10:55 +0100
From: Tim Brown <tmb@...35.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH

On Wednesday 17 Oct 2012 20:46:55 Michael Gilbert wrote:

> It was uploaded to and affected Debian testing and unstable.  Testing
> has not yet been officially "released", but some people use testing as
> if it were an official release.  Unstable never gets released.

FWIW, I have added a check to unix-privesc-check for privileged binaries that 
have "PATH=" embedded in them and run it over a couple of fairly vanilla 
Debian systems with KDE on it and seen a few other cases of embedded PATHs.  
This yielded a few cases where "privileged" binaries trust 
/usr/local/{bin/sbin} but nothing else untoward. trunk is currently in flux, 
but vendors may wish to incorporate it into their release testing in due 
course.

Tim
-- 
Tim Brown
<mailto:tmb@...35.com>

Download attachment "signature.asc " of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.