Commit 634535b3 authored by Joost van Baal-Ilić's avatar Joost van Baal-Ilić

credit where credit is due

parent b190cfc0
publicfile-installer (0.11-1) UNRELEASED; urgency=low publicfile-installer (0.11-1) UNRELEASED; urgency=low
* UNRELEASED * UNRELEASED
* New upstream. No longer ships install-publicfile, no longer uses /tmp * New upstream. No longer ships install-publicfile, no longer uses /tmp.
THanks FIXME Closes: FIXME This fixes a serious security issue: a local privilage escalation
security hole due to insecure use of /tmp. "This [...] package downloads
the source code for DJB's publicfile, builds it, and then puts the
output in a predictable location in a world-writable directory, using an
existing directory of that name if it already exists, then (either
automatically or by telling the admin to run another script) installs
whatever happens to be in that directory. This can be exploited by
malicious local users to get arbitrary installscripts executed as root."
Thanks Justin B Rye. Closes: #795062.
+ debian/templates: adjusted. + debian/templates: adjusted.
+ debian/control: Depends: add sudo. + debian/control: Depends: add sudo.
* debian/changelog: fix spelling error. * debian/changelog: fix spelling error.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment