[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] gnu: ntfs-3g: Fix CVE-2017-0358.
|
From: |
Marius Bakke |
|
Subject: |
Re: [PATCH] gnu: ntfs-3g: Fix CVE-2017-0358. |
|
Date: |
Fri, 10 Feb 2017 00:07:35 +0100 |
|
User-agent: |
Notmuch/0.23.5 (https://notmuchmail.org) Emacs/25.1.1 (x86_64-unknown-linux-gnu) |
Leo Famulari <address@hidden> writes:
> On Thu, Feb 09, 2017 at 11:39:42PM +0100, Marius Bakke wrote:
>> Kei Kebreau <address@hidden> writes:
>>
>> > Reviewers, how does this patch look to you?
>>
>> AFAIU from CVE-2017-0358, ntfs-3g is only vulnerable when installed
>> setuid root, which is not the case on guix.
>>
>> FWIW Debian do not carry this patch, but have fixed the CVE according to
>> the changelog. So I doubt this patch is necessary.
>
> There have been a couple security-related bugs publicized recently that
> are only dangerous when the software is installed setuid root.
>
> Although we don't do that by default, system administrators can do it on
> GuixSD. I also think that Guix is valuable as a distribution mechanism
> of free source code, and we should fix bugs for that use case.
>
> So, I was thinking that we should fix these bugs unless they require
> grafting, and then we should fix them in core-updates.
>
> WDYT?
That does make a lot of sense. Reading up on execl(3), it looks like
this patch does the right thing and can't hurt even when not setuid.
Mind=changed! :P
signature.asc
Description: PGP signature