Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 20 Oct 2014 16:40:05 +0200
From: Mario Vilas <mvilas@...il.com>
To: Grond <grond66@...il.com>
Cc: Nick Kralevich <nnk@...gle.com>, oss-security@...ts.openwall.com, 
	fulldisclosure <fulldisclosure@...lists.org>
Subject: Re: [FD] CVE request: remote code execution in Android CTS

On Mon, Oct 20, 2014 at 4:27 AM, Grond <grond66@...il.com> wrote:

> Is this kind of file ever *intended* to be used as an executable script?
> If the answer is "no"; then you should apply fixes.
>

Seems to me like it was. Also, wouldn't a user who can edit those files
also be able to, for example, patch the executable files as well? I haven't
actually checked the file permissions but it seems like a reasonable
assumption.


-- 
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ