Comment 12 for bug 634183
Revision history for this message
|
|
#12 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
Apologies, I suffer from keyboard typing lag on Mac OS X Snow Leopard.
This typing of mine
Show me the CVE for XATTR's or the reasoning why SE Linux XATTR's should
not _ALSO_ be not disputed as unworthy of a CVE.
should have been
Show me the CVE for XATTR's or the reasoning why SE Linux XATTR's should
_ALSO_ not be disputed as unworthy of a CVE.
Not the permutation of "not" and "be" and the removal of a double negative
that makes me look like an idiot.
The reasoning re "attributes" that potentially lead to escalation that
remain after RPM does unlink(2) with the information that RPM "knows"
is sound even if I can't type worth a damn.
NONE of this crap is worthy of *ANY* CVE. The creation of a hardlink
outside of RPM package management is no problem that could/should/would
be meaningfully resolved in RPM itself.
Arguably RPM should verify st->st_nlink to be as "expected"
before doing unlink(2) and spew a warning if not. Any other
implementation is deranged. JMHO, YMMV, everyone's (and clearly MITRE's)
does.