Re: FreeBSD Security Advisory FreeBSD-SA-06:03.cpio

On 2006.01.11 15:35:01 +0100, Aleksander Fafula wrote:

> I am preparing the translations of Security Advisories. This is why
> I have a few questions.

Hey,

Sure, ask away. We (FreeBSD Security Team) try to proof read a lot to
fix typo's and make the text as clear as possibly, but unfortunately
some things slip through.

> I don't unerstand who are 'they', (files?):
>
> > . The first problem can allow a local attacker to change the
> > permissions of files owned by the user executing cpio providing
> > that they have write access to the directory in which the file is
> > being extracted. (CVE-2005-1111)

Here "they" refers to the local attacker.

> > NOTE WELL: The solution described below causes cpio to not exact files
> > with absolute paths by default anymore. If it is required that cpio
> > exact files with absolute names, use the --absolute-filenames
> > parameter.
>
> Shouldn't 'exact' be 'extract'. It's very interesting for me as
> I see 'exact' here two times (two typos or maybe I don't understand
> this).

Whoops, yes it should be "extract" in both cases... well, at least I
was consistent in my typos... ;-).

I accept the pointy hat for this one.

> Another suggestion is:
> Security Advisories on www.freebsd.org should be ordered by date.
> Displaying 1,2,3 and no 4 causes people to omit advisory no 4! It
> should be displayed 4, 3, 2, 1 and probably all new releases - no matter
> how many.
> On http://www.freebsd.org/security/ sorting of advisories seems like above.

I agree in general, and I will try to improve it (though defining
"new" items is not too easy for something like this). Xin Li has
already reverse the order so 4, 3, and 2 are shown making it more
clear that there have been 4 so far in 2006.

--
Simon L. Nielsen
FreeBSD Security Team

Attachment:pgpAfnuqNdpxa.pgp
Description: PGP signature