[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security vulnerability in automake

From: Bernd Jendrissek
Subject: Re: Security vulnerability in automake
Date: Sat, 8 Jun 2002 01:52:29 +0200

On Fri, Jun 07, 2002 at 04:50:23PM -0400, Lawrence Teo wrote:
> My point is, if config.guess can be hardened against such potential symlink 
> attacks, why shouldn't it be? Of course, it would be great to educate all 
> admins not to build stuff as root. But it would also be a responsible thing 
> to fix config.guess if we know that there's a potential issue in there.


> Likewise, having a "hardened" config.guess file would not necessarily 
> prevent symlink attacks, but it'll definitely make it much harder for an 
> attacker to exploit it, even if the admin is sloppy.

An attacker is hardly likely to distribute a "hardened" config.guess

Build untrusted packages as root.  Hose your system.  Repeat until lesson
is learned: do not built untrusted packages as root.

Bernd Jendrissek

reply via email to

[Prev in Thread] Current Thread [Next in Thread]