[CentOS] Serious attack vector on pkcheck ignored by Red Hat
Chris Adams
linux at cmadams.net
Wed Feb 15 19:23:35 UTC 2017
Once upon a time, Gordon Messmer <gordon.messmer at gmail.com> said:
> Leonard, man... you've got let this go. Users with shell access
> already have fairly broad permission to execute arbitrary code on
> the system they log in to. The memory leak in pkcheck is *not* a
> security issue. It's just a bug.
Here's the other thing about it: you are saying it might could be
exploited in your setup (where other things maybe could not). That's
potentially a problem, but it is not a problem in most anybody else's
setup (most definitely not the default setup, or alternate setups from
the Red Hat documentation). Red Hat generally only devotes resources to
security issues in the default or documented setups; there have been
CVEs where they just say "this is outside any supported setup".
--
Chris Adams <linux at cmadams.net>
More information about the CentOS
mailing list