the hardlink vulnerability in postinst
From: Adam Borowski <email@example.com> To: Kentaro Hayashi <firstname.lastname@example.org>, email@example.com Subject: Re: Bug#890480: RFS: groonga/8.0.0-1 Date: Tue, 20 Feb 2018 22:46:36 +0100 On Thu, Feb 15, 2018 at 11:33:35AM +0900, Kentaro Hayashi wrote: > * Package name : groonga > Version : 8.0.0-1 > Changes since last upload: > > * New upstream release. Uploaded, although you'd want to fix the hardlink vulnerability in postinst. "lintian -i groonga-server-common_*.deb" will tell you more. In short, anyone who can manage to execute arbitrary code as the groonga user, can escalate to root on a subsequent upgrade. It's no regression, thus I uploaded 8.0.0-1 as is.