From owner-freebsd-security@FreeBSD.ORG Wed Jan 11 20:53:36 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 038A616A41F for ; Wed, 11 Jan 2006 20:53:36 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7DA0543D49 for ; Wed, 11 Jan 2006 20:53:35 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 80DE4114C1; Wed, 11 Jan 2006 21:53:34 +0100 (CET) Date: Wed, 11 Jan 2006 21:53:34 +0100 From: "Simon L. Nielsen" To: Aleksander Fafula Message-ID: <20060111205333.GB839@zaphod.nitro.dk> References: <200601110819.k0B8JEl0066658@freefall.freebsd.org> <20060111143501.GB21628@fafula.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ftEhullJWpWg/VHq" Content-Disposition: inline In-Reply-To: <20060111143501.GB21628@fafula.com> User-Agent: Mutt/1.5.11 Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:03.cpio X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jan 2006 20:53:36 -0000 --ftEhullJWpWg/VHq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2006.01.11 15:35:01 +0100, Aleksander Fafula wrote: > I am preparing the translations of Security Advisories. This is why=20 > I have a few questions. Hey, Sure, ask away. We (FreeBSD Security Team) try to proof read a lot to fix typo's and make the text as clear as possibly, but unfortunately some things slip through. > I don't unerstand who are 'they', (files?): >=20 > > . The first problem can allow a local attacker to change the > > permissions of files owned by the user executing cpio providing > > that they have write access to the directory in which the file is > > being extracted. (CVE-2005-1111) Here "they" refers to the local attacker. > > NOTE WELL: The solution described below causes cpio to not exact files > > with absolute paths by default anymore. If it is required that cpio > > exact files with absolute names, use the --absolute-filenames > > parameter. >=20 > Shouldn't 'exact' be 'extract'. It's very interesting for me as=20 > I see 'exact' here two times (two typos or maybe I don't understand=20 > this). Whoops, yes it should be "extract" in both cases... well, at least I was consistent in my typos... ;-). I accept the pointy hat for this one. > Another suggestion is:=20 > Security Advisories on www.freebsd.org should be ordered by date. > Displaying 1,2,3 and no 4 causes people to omit advisory no 4! It=20 > should be displayed 4, 3, 2, 1 and probably all new releases - no matter > how many. > On http://www.freebsd.org/security/ sorting of advisories seems like abov= e. I agree in general, and I will try to improve it (though defining "new" items is not too easy for something like this). Xin Li has already reverse the order so 4, 3, and 2 are shown making it more clear that there have been 4 so far in 2006. --=20 Simon L. Nielsen FreeBSD Security Team --ftEhullJWpWg/VHq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDxXBNh9pcDSc1mlERAhAsAJ40DEykoPQfiB8nyEFUFbfMffAL0wCgtWpn MNhH1uf3RC5oHVKEdhz70Pc= =6lwV -----END PGP SIGNATURE----- --ftEhullJWpWg/VHq--