Bug#845385: Privilege escalation via removal
Emmanuel Bourg
ebourg at apache.org
Tue Nov 22 23:30:54 UTC 2016
Hi Paul,
Thank you very much for reporting this issue. I confirm this happens
when purging the package only. The offending chown was first introduced
in the tomcat6 package 6 years ago [1] as part of the fix for #567548.
The same issue is also found in the tomcat7 package.
Do you think running something like "chmod -R 640 /etc/tomcat8" right
before the chown is an appropriate solution to this issue?
Emmanuel Bourg
[1] https://anonscm.debian.org/cgit/pkg-java/tomcat6.git/commit/?id=f67781f
More information about the pkg-java-maintainers
mailing list