Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 3 Mar 2013 12:27:03 +0400
From: gremlin@...mlin.ru
To: oss-security@...ts.openwall.com
Subject: Re: CVE id request: busybox

On 02-Mar-2013 21:43:53 -0700, Kurt Seifried wrote:

 >> Hi, busyboxy is creating parts of the directory tree with
 >> incorrect permissions when creating device nodes in nested
 >> directories:
 >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701965

 > Just a quick note:
 > find / -perm +0002
 > should show a very minimal list (/tmp, /var/tmp, some spool dirs,
 > and symbolic links),

`find -L / -perm /0002` will perform better, following the symlinks.

 > please run this on your packages/systems to ensure nothing silly
 > is going out the door.

For that, I'd recommend checking for "-perm /0022": group-writable
directories (primarily) and files are about to cause trouble as well.

 > It's 2013, I shouldn't be assigning CVEs for this problem still :P.

That's Debian, they are still in the past century... :-)


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net
GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ