Re: Debian package manager privilege escalation attack

To: debian-devel@lists.debian.org
Subject: Re: Debian package manager privilege escalation attack
From: Brian Thompson <brian@hashvault.io>
Date: Thu, 12 Aug 2021 01:25:06 -0500
Message-id: <[🔎] 403fc957dc65d27a4908606dd9c6d2eaab48343a.camel@hashvault.io>
In-reply-to: <[🔎] YRS9YQ8UZGE303+j@belkar.wrar.name>
References: <[🔎] CAO6YxPyH5DKH8TB8o=EsE0CesqrqP_Uh1+5DiJOeJjaaY9bPng@mail.gmail.com> <[🔎] 31b54d97-15b4-7cc3-d083-1fe3a664ee91@thykier.net> <[🔎] a91c91916c65e7504d7a035063e08f9f4effffce.camel@hashvault.io> <[🔎] YRS9YQ8UZGE303+j@belkar.wrar.name>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Thu, 2021-08-12 at 11:19 +0500, Andrey Rahmatullin wrote:
> On Thu, Aug 12, 2021 at 01:12:37AM -0500, Brian Thompson wrote:
> > Would you agree that there is an issue with sudo access that is
> > enabled
> > by default on most Debian and Debian-based distributions? The bug
> > may
> > not be in apt, but it definitely lives somewhere.
> Do you think "sudo access" itself is a "privilege escalation attack"?

I do not. I think that the possibility of dangerously configured sudo
access is a vulnerability.
-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEE9fpVo96/flopdKOfgw2Ncu3Nhn0FAmEUvsITHGJyaWFuQGhh
c2h2YXVsdC5pbwAKCRCDDY1y7c2GffuzD/9+1W9z3AA/DFy5HgBgV5ntSiP6hhQ4
PdybHxQ1zP7A4uZHdGV4IqsfOKWkuhnzV/dA5Rpk7pvT1iWDQgkz7uEK5HXkQT4N
QCg3MeBbqdDpqG5UakVnyu+qGJ26pRyQYmq54dZOUFmNJL8uF5BwnPg7d4NWikds
0e2QrYtyaFFVaInhDHE7uM+eYQtmWSP5yXYxGy9RLjUpLB1SPqAxeR4bZxeJ2yAz
873L1VpWOHbmxsRZj6NRH6dh2o87fqAq1BcnJZrLpbm38YKIE8PKtaNjKlhFLItt
hwnGPJfobrxGG4gPgwJBB2S+FP+K6kWxSSA9y1lpAo+kLZlZFENWWxnGpgBIZ2+Q
DZTFM6nPkwAvWLz1rpP5tf9Kqa7ABLyHnHdNqHAd44VtihCjwFkRtzPQgoysPGux
nghHMpCmdYXuen6xaPaDSvR5emy6XVuuYvEBVjGMtR4VwJsYwgLOv1hbh+yN+fTx
ItpwQjOXsD0PgGPs5BjF2G2aGHiVcHLuAZ6q0JbBo+QsCC5T3cDEJyPyuImRpNUX
zQ9oyA8crGO5kq/7qz1I8/mMBrbaHKtgI9sCwwOwT56EUCvN2J0VcQGgrqQ0mVEB
fJnCJFGlBrixpwbrMOik/P4QtibprVh070MgATb0QunTxyJLvnC3y/1XySkRCY8j
eLvWe2IBKBalmw==
=4yEj
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Debian package manager privilege escalation attack
  - From: Andrey Rahmatullin <wrar@debian.org>
- Re: Debian package manager privilege escalation attack
  - From: Polyna-Maude Racicot-Summerside <debian@polynamaude.com>

References:
- Debian package manager privilege escalation attack
  - From: Timothy M Butterworth <timothy.m.butterworth@gmail.com>
- Re: Debian package manager privilege escalation attack
  - From: Niels Thykier <niels@thykier.net>
- Re: Debian package manager privilege escalation attack
  - From: Brian Thompson <brian@hashvault.io>
- Re: Debian package manager privilege escalation attack
  - From: Andrey Rahmatullin <wrar@debian.org>

Prev by Date: Re: Debian package manager privilege escalation attack
Next by Date: Re: Debian package manager privilege escalation attack
Previous by thread: Re: Debian package manager privilege escalation attack
Next by thread: Re: Debian package manager privilege escalation attack
Index(es):
- Date
- Thread