[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security vulnerability in automake
|
From: |
Bernd Jendrissek |
|
Subject: |
Re: Security vulnerability in automake |
|
Date: |
Sat, 8 Jun 2002 01:52:29 +0200 |
On Fri, Jun 07, 2002 at 04:50:23PM -0400, Lawrence Teo wrote:
> My point is, if config.guess can be hardened against such potential symlink
> attacks, why shouldn't it be? Of course, it would be great to educate all
> admins not to build stuff as root. But it would also be a responsible thing
> to fix config.guess if we know that there's a potential issue in there.
[snip]
> Likewise, having a "hardened" config.guess file would not necessarily
> prevent symlink attacks, but it'll definitely make it much harder for an
> attacker to exploit it, even if the admin is sloppy.
An attacker is hardly likely to distribute a "hardened" config.guess
Build untrusted packages as root. Hose your system. Repeat until lesson
is learned: do not built untrusted packages as root.
Bernd Jendrissek