lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4507C685.2040101@s5r6.in-berlin.de>
Date:	Wed, 13 Sep 2006 10:51:17 +0200
From:	Stefan Richter <stefanr@...6.in-berlin.de>
To:	David Wagner <daw-usenet@...erner.cs.berkeley.edu>
CC:	linux-kernel@...r.kernel.org
Subject: Re: R: Linux kernel source archive vulnerable

David Wagner wrote:
>     (a) The Linux kernel tar archive contains files with world-writeable
>     permissions.

The group's and others' permissions in the tar archive don't matter.
They have no meaning on the local system. These archives are
distributions of sources and a few scripts --- they are not local archives.

>     (b) There is no need for those files to have world-writeable
>     permissions.  It doesn't serve any particular purpose.

Correction: The group's and others' permissions, regardless how they are
set in the tar archive, don't serve any particular purpose. You should
consequently demand that an archive format is used which does not
transfer group's and others' permissions at all.

>     (c) Some users may get screwed over by virtue of the fact that those
>     files are listed in the tar archive with world-writeable permissions.

Correction: Some users who set a wrong umask when creating files by
extraction from these archives and then attempt to build an own kernel
from that may screw themselves over.

The danger here as that users who handle umask in a wrong way actually
run self-made kernels. _This_ is what you should campaign against first.
-- 
Stefan Richter
-=====-=-==- =--= -==-=
http://arcgraph.de/sr/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ