On Thu, 12 Jul 2007, [EMAIL PROTECTED] wrote:
would it be possible to add an option to ask the user if he wants to
chmod +s pd? some people told me it's dangerous. is it really? pd is
already a powerful (read dangerous) software with the objet system,
shell or netreceive...
Last year I demonstrated that it is possible to make a very small external
that gives root access to the whole pd process. This vulnerability only
affects Miller's pd, including pd-0.41-0test04 (which is the absolute
latest). I have fixed that problem during devel_0_39 and carried it into
the desiredata branch.
This problem is largely theoretical so far, as it requires an external to
play with the setuid/seteuid commands. I can't think of any external that
does that, except the small test that I made for the purpose of verifying
my claim.
I haven't looked much for other possible breaches of root access.
_ _ __ ___ _____ ________ _____________ _____________________ ...
| Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC Canada
_______________________________________________
[email protected] mailing list
UNSUBSCRIBE and account-management ->
http://lists.puredata.info/listinfo/pd-list
