> Impact: am I right in thinking that this is not in itself a security > vulnerability, but that if there is a separate security vulnerability > somewhere in Valve's binaries, having execmod access makes it > significantly easier for an attacker to turn that vulnerability into > arbitrary code execution, similar to an absence of the hardening measures > (stack protecter, PIC, etc.) that we're encouraged to use in packages > that are built from source?
Yes. > Am I right in saying that replacing some or all of the i386 binaries > with x86_64 binaries would be sufficient? Or is there some simple thing > Valve could do with a general-purpose compiler (I think they use gcc/g++) > to get i386 binaries with the right magic flags? Replacing with AMD64 doesn't inherently solve the problem. But as AMD64 has no shortage of registers the assembler tricks used for performance on i386 aren't used and this solves the problem. They could just not use the assembler. I really don't think that they are doing anything performance intensive in this regard. When I maintained my own fork of those packages to address this issue (when i386 on the desktop was useful) I didn't have any performance problems with programs like mplayer. > (I don't know whether Valve would be willing to require x86_64 for Steam > - a lot of older games are only available as i386 binaries, and having > steam be an i386 package makes it a lot easier to pull in i386 multiarch > graphics drivers and other necessary libraries from the host system - > but it's worth asking.) If they had "steam" as an amd64-only package it would mean that you couldn't install Steam games on an i386 system. I really doubt that anyone wants to do that nowadays given that quad core amd64 systems can be found as rubbish nowadays. So if they entirely dropped support for running games on i386 it wouldn't be a problem and the i386 compiled games once installed would run fine. Of course i386 games might have the same issue, but that would only affect people who run those particular games while the current issue affects everyone who uses steam. Can't an amd64 package have dependencies on i386 packages? Surely a better solution to depending on multiarch graphics drivers would be for a steam:amd64 package to recommend steam-graphics:i386 which depends on the graphics packages in question. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/