Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#62193 - [uucp] several executables are not stripped
Attached to Project:
Community Packages
Opened by Klaus Alexander Seistrup (kseistrup) - Saturday, 30 March 2019, 10:58 GMT
Last edited by Sergej Pupykin (sergej) - Friday, 17 May 2019, 15:34 GMT
Opened by Klaus Alexander Seistrup (kseistrup) - Saturday, 30 March 2019, 10:58 GMT
Last edited by Sergej Pupykin (sergej) - Friday, 17 May 2019, 15:34 GMT
|
DetailsDescription:
The following executables are not stripped: - /usr/bin/cu - /usr/bin/uucico - /usr/bin/uucp - /usr/bin/uuname - /usr/bin/uustat - /usr/bin/uux - /usr/bin/uuxqt Steps to reproduce: $ file $(pacman --query --list uucp | awk '$2 ~ "/usr/bin/.+" {print $2}') | grep 'not stripped' |
This task depends upon
From the upstream Makefile
for f in uucico uuxqt; do \
chown $(OWNER) $(DESTDIR)$(sbindir)/$${f}; \
chmod 4555 $(DESTDIR)$(sbindir)/$${f}; \
done
for f in uux uucp uustat uuname cu; do \
chown $(OWNER) $(DESTDIR)$(bindir)/$${f}; \
chmod 4555 $(DESTDIR)$(bindir)/$${f}; \
done
Additionally the chown calls have no effect as the uucp user is no longer used.
Edit:
Which means the binaries execute as setuid root not setuid uucp.
Shouldn't the risk of running several of the executables a setuid root justify raising the severity level to a level higher than the current “very low”?