A list of publicly known but unfixed security bugs
Switch branches/tags
Nothing to show
Clone or download
Latest commit feb6545 Mar 9, 2018
Permalink
Failed to load latest commit information.
README.md Clarify which clipboard Mar 9, 2018

README.md

A list of publicly known but unfixed security bugs

Please submit a pull request if you have corrections or know about any other unfixed security bugs.

tar

Chrome

Pretty much every terminal emulator

sudo

  • When running sudo -u non-root-user as root, TIOCSTI allows the command in sudo -u non-root-user command to execute anything as root. Can be fixed with Defaults use_pty in sudoers. More notes.

  • sudo credential caching (generally enabled by default; disabled with Defaults timestamp_timeout=0) allows any process in a TTY to do a passwordless sudo within the timeout period, not just commands that you've prefixed with sudo in the shell.

VirtualBox

virt-manager/spice-gtk

Xorg

Node

Erlang/OTP

Twisted

WeeChat

phantomjs, libqtwebkit4, libqt5webkit5

  • These packages exist in a state of permanent insecurity because they don't keep up with the ~6-week browser update cycle. (e.g. take any one of the many WebKit security bugs fixed after the last release of these packages, which could be a ~year old.)

Windows

Packages in your Linux distribution

On your LineageOS device