[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Debian discusses vendoring—again

Debian discusses vendoring—again

Posted Jan 13, 2021 8:53 UTC (Wed) by bangert (subscriber, #28342)
In reply to: Debian discusses vendoring—again by epa
Parent article: Debian discusses vendoring—again

not being very well versed in the security area, the above seems to me to be wrong.

say you have a function that is vulnerable to a privilege escalation, but the application in question is not calling it, so it is "safe".
now assume, another part of the application has a remote code execution bug - boom, the "safe" privilege escalation is all of a sudden not so safe any more...

apart from that, figuring out if a specific function bundled in a dependency is used in a project is orders of magnitudes harder, than figuring out if the project includes a given dependency (which itself can be difficult enough).

to post comments

Debian discusses vendoring—again

Posted Jan 13, 2021 10:06 UTC (Wed) by mjg59 (subscriber, #23239) [Link]

In general, everything running inside a single process is in the same privilege domain. Once you've got arbitrary code execution in the app, having more libraries mapped in doesn't matter - they're not going to escalate your privileges.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds