First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 8556
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Seemant Kulleen (RETIRED) <seemant@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: SpanKY <vapier@gentoo.org>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 8556 depends on: Show dependency tree
Bug 8556 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2002-09-30 01:04 0000 
in the ebuilds, it says 'in order to utilize svga, links must be setuid' ...
well setting it uid of 0 allows for a local root exploit

i would rather people bend over backwards to get svga support in their links 
program than get bent over just for svga support

SOLUTION:
(1) remove the lines in both links-2.1 ebuilds:
        # links needs to be setuid for it to work with svga
        use svga && ( \
                fperms 4755 /usr/bin/links2
        )
(2) send out a security advisory telling people to run:
emerge rsync
emerge links

------- Comment #1 From Seemant Kulleen (RETIRED) 2002-09-30 22:51:16 0000 ------- 
ok, now the user will be spammed a message in postinst, explaining that suid
bit
must be set on /usr/bin/links2 to enable SVGA support.  this message is only
spammed if "svga" is in USE in the first place.
First Last Prev Next    No search results available      Search page      Enter new bug