security/vuxml: Update entry for security/doas

* Add a reference to OpenBSD's tech mailinglist that explains the issues with doas(1)'s environmetal security in further detail. * Clarify the origins of the reporting sources and fix a grammar nit. PR: 239629 Reported by: Sander Bos
svn path=/head/; revision=509055
2019-08-15 21:22:35 +00:00 · 2019-08-15 21:22:35 +00:00 · a55784cff1 · 2021-03-31 03:12:20 +00:00
commit a55784cff1
parent fb8243d85e
1 changed files with 5 additions and 1 deletions
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@ -230,7 +230,7 @@ executed even without intentional action by the user.</p>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
-	<p>Jesse Smith of Resonating Media reports:</p>
+	<p>Jesse Smith (upstream author of the doas program) reported:</p>
 	<blockquote cite="https://github.com/slicer69/doas/releases/tag/6.1">
 	  <p>Previous versions of "doas" transferred most environment variables, such
 	    as USER, HOME, and PATH from the original user to the target user.
@ -238,15 +238,19 @@ executed even without intentional action by the user.</p>
 	    Passing these variables could cause files in the wrong path or
 	    home directory to be read (or written to), which resulted in potential
 	    security problems.</p>
+	  <p>Many thanks to Sander Bos for reporting this issue and explaining
+	    how it can be exploited.</p>
 	</blockquote>
      </body>
    </description>
    <references>
+      <mlist msgid="2a5cda45ef35e885c9a8b1e@tedunangst.com">https://marc.info/?l=openbsd-tech&amp;m=156105665713340&amp;w=2</mlist>
      <url>https://github.com/slicer69/doas/releases/tag/6.1</url>
    </references>
    <dates>
      <discovery>2019-08-03</discovery>
      <entry>2019-08-09</entry>
+      <modified>2019-08-15</modified>
    </dates>
  </vuln>