Bug#405510: Build process sets the eog-$VER directory perms to 777
Josselin Mouette
joss at debian.org
Thu Jan 4 09:16:07 CET 2007
tag 405510 unreproducible
thanks
Le jeudi 04 janvier 2007 à 05:02 +0200, Sami Liedes a écrit :
> Package: eog
> Version: 2.16.2-1
> Severity: grave
> Tags: security
> Justification: user security hole
>
> This is a user security hole only on systems where the package is
> built. Sorry if this doesn't qualify it for the grave severity.
>
> The build process of eog sets the perms of the entire eog-$VERSION
> subdirectory and all its subdirectories to 777 before compilation.
> This allows a local attacker to do any nastiness to the source files
> or scripts that subsequently get packaged in a .deb. The attacker can
> also choose to run any code as the user building the package.
Sorry, but I can't reproduce it here, and eog isn't doing anything
special with permissions. There is certainly something wrong with your
setup.
--
.''`.
: :' : We are debian.org. Lower your prices, surrender your code.
`. `' We will add your hardware and software distinctiveness to
`- our own. Resistance is futile.
More information about the Pkg-gnome-maintainers
mailing list