[36044] in bugtraq
Re: GNU/Linux 'info Buffer Overflow
daemon@ATHENA.MIT.EDU (Janusz A. Urbanowicz)
Sun Aug 8 08:05:56 2004
Date: Sat, 7 Aug 2004 17:31:11 +0200
To: bugtraq@securityfocus.com
Message-ID: <20040807153111.GB24390@syjon.fantastyka.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-ripemd160;
protocol="application/pgp-signature"; boundary="DBIVS5p969aUjpLe"
Content-Disposition: inline
In-Reply-To: <20040806214112.GA56688@snowcrash.tpb.net>
From: "Janusz A. Urbanowicz" <alex@syjon.fantastyka.net>
--DBIVS5p969aUjpLe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Aug 06, 2004 at 11:41:12PM +0200, Niels Bakker wrote:
> /usr/bin/info is not setuid, and I can't think of any way to invoke the
> program where it would allow for privilege escalation. Why is the
> severity "grave?" Remember that this is bugtraq, about security, not
> the Debian bug tracking system, or texinfo's gnats.
I think that the severity is overstated for Debian BTS too, IMO - and
according to Debian Policy - this should be 'normal' or 'serious' at
highest.
Alex
PS> Niels, your advertised address bounces with virtusertable errors,
I tried to send this offlist first.
--=20
0x46399138
--DBIVS5p969aUjpLe
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (GNU/Linux)
iD8DBQFBFPW+i2676t/eTc4RA44XAJ4uoqipLuvAM7uAksPZ2QDWRc7RigCfal+R
XGtLUPnc/KYSYB0gKfn78X8=
=otq9
-----END PGP SIGNATURE-----
--DBIVS5p969aUjpLe--
