[Bug 976770] Review Request: sstp-client - Secure Socket Tunneling Protocol (SSTP) Client

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.redhat.com/show_bug.cgi?id=976770

--- Comment #4 from Christopher Meng <cickumqt@xxxxxxxxx> ---
missing-call-to-setgroups has been renamed to
missing-call-to-setgroups-before-setuid.

This will be available in the next version.

And the explanation is:

This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this mean it didn't relinquish all groups, and this
would be a potential security issue to be fixed. Seek POS36-C on the web for
details about the problem.

Ref POS36-C:

https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges

Spec URL: http://cicku.me/sstp-client.spec
SRPM URL: http://cicku.me/sstp-client-1.0.9-2.fc20.src.rpm

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=qlfPeFZhjL&a=cc_unsubscribe
_______________________________________________
package-review mailing list
package-review@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/package-review





[Index of Archives]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]