security/vuxml: Update entry for security/doas
* Add a reference to OpenBSD's tech mailinglist that explains the issues with doas(1)'s environmetal security in further detail. * Clarify the origins of the reporting sources and fix a grammar nit. PR: 239629 Reported by: Sander Bos
This commit is contained in:
parent
fb8243d85e
commit
a55784cff1
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=509055
@ -230,7 +230,7 @@ executed even without intentional action by the user.</p>
|
||||
</affects>
|
||||
<description>
|
||||
<body xmlns="http://www.w3.org/1999/xhtml">
|
||||
<p>Jesse Smith of Resonating Media reports:</p>
|
||||
<p>Jesse Smith (upstream author of the doas program) reported:</p>
|
||||
<blockquote cite="https://github.com/slicer69/doas/releases/tag/6.1">
|
||||
<p>Previous versions of "doas" transferred most environment variables, such
|
||||
as USER, HOME, and PATH from the original user to the target user.
|
||||
@ -238,15 +238,19 @@ executed even without intentional action by the user.</p>
|
||||
Passing these variables could cause files in the wrong path or
|
||||
home directory to be read (or written to), which resulted in potential
|
||||
security problems.</p>
|
||||
<p>Many thanks to Sander Bos for reporting this issue and explaining
|
||||
how it can be exploited.</p>
|
||||
</blockquote>
|
||||
</body>
|
||||
</description>
|
||||
<references>
|
||||
<mlist msgid="2a5cda45ef35e885c9a8b1e@tedunangst.com">https://marc.info/?l=openbsd-tech&m=156105665713340&w=2</mlist>
|
||||
<url>https://github.com/slicer69/doas/releases/tag/6.1</url>
|
||||
</references>
|
||||
<dates>
|
||||
<discovery>2019-08-03</discovery>
|
||||
<entry>2019-08-09</entry>
|
||||
<modified>2019-08-15</modified>
|
||||
</dates>
|
||||
</vuln>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user