guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] gnu: ntfs-3g: Fix CVE-2017-0358.


From: Kei Kebreau
Subject: Re: [PATCH] gnu: ntfs-3g: Fix CVE-2017-0358.
Date: Thu, 09 Feb 2017 22:28:56 -0500
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

Marius Bakke <address@hidden> writes:

> Kei Kebreau <address@hidden> writes:
>
>> Marius Bakke <address@hidden> writes:
>>
>>> Leo Famulari <address@hidden> writes:
>>>
>>>> On Thu, Feb 09, 2017 at 11:39:42PM +0100, Marius Bakke wrote:
>>>>> Kei Kebreau <address@hidden> writes:
>>>>> 
>>>>> > Reviewers, how does this patch look to you?
>>>>> 
>>>>> AFAIU from CVE-2017-0358, ntfs-3g is only vulnerable when installed
>>>>> setuid root, which is not the case on guix.
>>>>> 
>>>>> FWIW Debian do not carry this patch, but have fixed the CVE according to
>>>>> the changelog. So I doubt this patch is necessary.
>>>>
>>>> There have been a couple security-related bugs publicized recently that
>>>> are only dangerous when the software is installed setuid root.
>>>>
>>>> Although we don't do that by default, system administrators can do it on
>>>> GuixSD. I also think that Guix is valuable as a distribution mechanism
>>>> of free source code, and we should fix bugs for that use case.
>>>>
>>>> So, I was thinking that we should fix these bugs unless they require
>>>> grafting, and then we should fix them in core-updates.
>>>>
>>>> WDYT?
>>>
>>> That does make a lot of sense. Reading up on execl(3), it looks like
>>> this patch does the right thing and can't hurt even when not setuid.
>>>
>>> Mind=changed! :P 
>>
>> Are we all agreed on pushing this change?
>
> I agree with Leo that we should try to cover for all use cases of
> software from Guix, so this change LGTM.

Great! Pushed as 1a82ba660e88e731841882523084e5d878267b53.

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]