Date: Sun, 3 Mar 2013 12:27:03 +0400 From: gremlin@...mlin.ru To: oss-security@...ts.openwall.com Subject: Re: CVE id request: busybox On 02-Mar-2013 21:43:53 -0700, Kurt Seifried wrote: >> Hi, busyboxy is creating parts of the directory tree with >> incorrect permissions when creating device nodes in nested >> directories: >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701965 > Just a quick note: > find / -perm +0002 > should show a very minimal list (/tmp, /var/tmp, some spool dirs, > and symbolic links), `find -L / -perm /0002` will perform better, following the symlinks. > please run this on your packages/systems to ensure nothing silly > is going out the door. For that, I'd recommend checking for "-perm /0022": group-writable directories (primarily) and files are about to cause trouble as well. > It's 2013, I shouldn't be assigning CVEs for this problem still :P. That's Debian, they are still in the past century... :-) -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ