Commit 634535b3 authored by Joost van Baal-Ilić's avatar Joost van Baal-Ilić

credit where credit is due

parent b190cfc0
publicfile-installer (0.11-1) UNRELEASED; urgency=low
* UNRELEASED
* New upstream. No longer ships install-publicfile, no longer uses /tmp
THanks FIXME Closes: FIXME
* New upstream. No longer ships install-publicfile, no longer uses /tmp.
This fixes a serious security issue: a local privilage escalation
security hole due to insecure use of /tmp. "This [...] package downloads
the source code for DJB's publicfile, builds it, and then puts the
output in a predictable location in a world-writable directory, using an
existing directory of that name if it already exists, then (either
automatically or by telling the admin to run another script) installs
whatever happens to be in that directory. This can be exploited by
malicious local users to get arbitrary installscripts executed as root."
Thanks Justin B Rye. Closes: #795062.
+ debian/templates: adjusted.
+ debian/control: Depends: add sudo.
* debian/changelog: fix spelling error.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment