||08-21-2013 03:28 PM
Originally Posted by GazL
If gllbc isn't going to be bumped again before release, this one might need looking at.
The release notes for glibc 2.18 contained this (in addition to two others already patched in slackware-current's glibc 2.17):
IMO, CVE-2013-2207 isn't much of a problem, since it requires the system to be configured in a non-default and documented as insecure fashion. One of the requirements for exploiting this is creating a fuse.conf containing "user_allow_other". Let's have a look at what the documentation says on that option, and the related "allow_other" option:
Allow non-root users to specify the 'allow_other' or 'allow_root'
This option overrides the security measure restricting file access
to the user mounting the filesystem. So all users (including root)
can access the files. This option is by default only allowed to
root, but this restriction can be removed with a configuration
option described in the previous section.
I can't imagine anyone who is concerned with security enabling that. This can't be the only possible problem with it.
I looked into backporting the patch, but parts of it fail, and given the insecure system requirement I'm not convinced that it really matters much. I've given a bit of consideration to bumping glibc in -current, but who knows what new bugs might be lurking there (it took some work to iron out all the difficulties with 2.17).