* Andrew Makhorin <[EMAIL PROTECTED]> [2007-09-15 15:59]: > > We are not talking about normal users following the conventions. We are > > talking about a malicious hacker that could exploit the buffer overflow > > vulnerability currently in GLPK. I do not know much about such exploits > > (and have no interest in learning them either) but knowing that Debian is > > currently distributing libglpk with such a vulnerability makes me really > > nervous. > > I do not think that that could jeopardize the system, only the application.
I would not underestimate the creativity of the malicious crackers nowadays. Buffer overflow vulnerabilities are carefully addressed. A search at the cve.mitre.org website for "buffer overflow" [1] yields 4840 hits. [1] http://www.google.com/custom?q=buffer+overflow&sa=Google+Search&cof=S%3Ahttp%3A%2F%2Fcve.mitre.org%3BGL%3A0%3BAH%3Aleft%3BLC%3A%23009%3BL%3Ahttp%3A%2F%2Fcve.mitre.org%2Fimages%2Fgoogle_cvelogo.jpg%3BAWFID%3Adf91761661c84389%3B&domains=cve.mitre.org&sitesearch=cve.mitre.org > > I think that I will patch your sources for the Debian package along the > > vsnprintf lines suggested by Peter. I would encourage you to fix the > > problem in the GLPK source. > > Okay. I will make necessary changes to use vsnprintf rather than vsprintf > in the next release. Thanks. In the meanwhile, I uploaded the patched version 4.21-2 of the Debian package. -- Rafael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]