[pkg-bacula-devel] Upload

Sven Hartge sven at svenhartge.de
Thu Oct 26 21:10:25 UTC 2017


On 26.10.2017 22:44, Carsten Leonhardt wrote:

> could you have a quick look at my merge of the CVE branch with master?
> If it's ok, I'll upload the result as 9.0.4+dfsg-3.

Looking at everything again, I am right now wondering if we should keep
everything as is for the systemd case. Yes, the PID file is created as
non-root, but systemd does not use it, so the CVE does not apply.

Only the sysv-init case is/maybe vulnerable, because start-stop-daemon
uses the PID file to decide what to kill. (Does it really? Doesn't it
check if the PID in the PID file really does belong to a process
originating the the $DAEMON binary?)

Unfortunately I killed my sysv-init VM yesterday and have yet to create
a new one, so I can't verify what start-stop-daemon does if one
deliberately changes/fakes the PID in the PID file.

Your opinion on this?

Grüße,
Sven.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-bacula-devel/attachments/20171026/2891481f/attachment.sig>


More information about the pkg-bacula-devel mailing list