Date: Mon, 20 Oct 2014 16:40:05 +0200 From: Mario Vilas <mvilas@...il.com> To: Grond <grond66@...il.com> Cc: Nick Kralevich <nnk@...gle.com>, oss-security@...ts.openwall.com, fulldisclosure <fulldisclosure@...lists.org> Subject: Re: [FD] CVE request: remote code execution in Android CTS On Mon, Oct 20, 2014 at 4:27 AM, Grond <grond66@...il.com> wrote: > Is this kind of file ever *intended* to be used as an executable script? > If the answer is "no"; then you should apply fixes. > Seems to me like it was. Also, wouldn't a user who can edit those files also be able to, for example, patch the executable files as well? I haven't actually checked the file permissions but it seems like a reasonable assumption. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.”
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ