Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 8556
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Seemant Kulleen (RETIRED) <seemant@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: SpanKY <vapier@gentoo.org>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 8556 depends on: Show dependency tree
Bug 8556 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2002-09-30 01:04 0000 
in the ebuilds, it says 'in order to utilize svga, links must be setuid' ...
well setting it uid of 0 allows for a local root exploit

i would rather people bend over backwards to get svga support in their links 
program than get bent over just for svga support

SOLUTION:
(1) remove the lines in both links-2.1 ebuilds:
        # links needs to be setuid for it to work with svga
        use svga && ( \
                fperms 4755 /usr/bin/links2
        )
(2) send out a security advisory telling people to run:
emerge rsync
emerge links

------- Comment #1 From Seemant Kulleen (RETIRED) 2002-09-30 22:51:16 0000 ------- 
ok, now the user will be spammed a message in postinst, explaining that suid
bit
must be set on /usr/bin/links2 to enable SVGA support.  this message is only
spammed if "svga" is in USE in the first place.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug