Gentoo Archives: gentoo-security

From: dev-random@××××.ru
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] #342619 RESOLVED WONTFIX
Date: Thu, 28 Oct 2010 01:04:54
Message-Id: 20101028002353.GA10276@localhost
In Reply to: Re: [gentoo-security] #342619 RESOLVED WONTFIX by Volker Armin Hemmann
On Wed, Oct 27, 2010 at 08:33:56PM +0200, Volker Armin Hemmann wrote:
> please show me some enterprise distros incorporating that patch.
I didn't test that patch; even if it's incorrect, bugreport is not about a patch. It's about a security issue. For example, look here: This proof-of-concept exploit still works in gentoo (amd64 stable at least, even hardened!), because some dangerous variables are not filtered out. (note if you want to test it: vixie-cron won't execute created file because it's not executable. Either use another crond, or use exploit to create e.g. udev rule instead of crontab entry). Another similar vulunerability caused by not filtering some variables was found about a week ago. I don't know if it still works in Gentoo, because hardened is not affected by that one.


Subject Author
Re: [gentoo-security] #342619 RESOLVED WONTFIX Pavel Labushev <p.labushev@×××××.com>