FreeBSD Security Advisory FreeBSD-SA-06:03.cpio

Simon L. Nielsen simon at FreeBSD.org
Wed Jan 11 12:53:36 PST 2006


On 2006.01.11 15:35:01 +0100, Aleksander Fafula wrote:

> I am preparing the translations of Security Advisories. This is why 
> I have a few questions.

Hey,

Sure, ask away.  We (FreeBSD Security Team) try to proof read a lot to
fix typo's and make the text as clear as possibly, but unfortunately
some things slip through.

> I don't unerstand who are 'they', (files?):
> 
> >   . The first problem can allow a local attacker to change the
> >     permissions of files owned by the user executing cpio providing
> >     that they have write access to the directory in which the file is
> >     being extracted. (CVE-2005-1111)

Here "they" refers to the local attacker.

> > NOTE WELL: The solution described below causes cpio to not exact files
> > with absolute paths by default anymore.  If it is required that cpio
> > exact files with absolute names, use the --absolute-filenames
> > parameter.
> 
> Shouldn't 'exact' be 'extract'. It's very interesting for me as 
> I see 'exact' here two times (two typos or maybe I don't understand 
> this).

Whoops, yes it should be "extract" in both cases... well, at least I
was consistent in my typos... ;-).

I accept the pointy hat for this one.

> Another suggestion is: 
> Security Advisories on www.freebsd.org should be ordered by date.
> Displaying 1,2,3 and no 4 causes people to omit advisory no 4! It 
> should be displayed 4, 3, 2, 1 and probably all new releases - no matter
> how many.
> On http://www.freebsd.org/security/ sorting of advisories seems like above.

I agree in general, and I will try to improve it (though defining
"new" items is not too easy for something like this).  Xin Li has
already reverse the order so 4, 3, and 2 are shown making it more
clear that there have been 4 so far in 2006.

-- 
Simon L. Nielsen
FreeBSD Security Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20060111/801c0b85/attachment.bin


More information about the freebsd-security mailing list