Oh, is this already fixed in more recent versions? I don't need to include in this release.
.hc On Jul 14, 2007, at 1:49 PM, Miller Puckette wrote: > Hi Hans, > > In general, I've held off fixing bugs in 0.39 for fear of introducing > new problems, especially since you've been working for so long to get > Pd extended out. But this one is special since it's a security leak, > so I'm inclined to fix it. If past experience is any guide, I'll make > a mistake in a CVS commit and wreak havoc that will take days to clear > up. Well, maybe not, who knows. > > I'm hoping it will prove easy enough to plug 0.40 into the extended > release mechanism that for non-security bug fixes, it will suffice for > me to fix them in 0.40 and wait for the march of time to propagate the > fix. For instance, once I find the open-GOP-close-patch bug, I can > fix that both in 0.40 and "latest" but leave 0.39 alone. > > Unless there's reason not to, I'll take the single offending 'e' > character > out of 0.39, "tag" it 0.39-3, and commit... ? > > cheers > Miller > > > > On Sat, Jul 14, 2007 at 12:33:25PM -0400, Hans-Christoph Steiner > wrote: >> >> On Jul 13, 2007, at 3:36 PM, Mathieu Bouchard wrote: >> >>> On Thu, 12 Jul 2007, Hans-Christoph Steiner wrote: >>>> This is only possible if you are running Pd as root, which is >>>> general is not a good idea. If Pd is running as a different user, >>>> then you wouldn't be able to gain root access. >>> >>> We are *only* talking about setuid (chmod +s) and not starting pd >>> from a root login. >>> >>> If pd is running as user "eighthave" but with setuid "root", pd is >>> dropping priviledges to be effectively just "eighthave", but does >>> it the wrong way, causing it to be able to regain effective "root" >>> later. >>> >>> I reported this bug last november: >>> >>> http://lists.puredata.info/pipermail/pd-dev/2006-11/007910.html >>> >>> I have fixed that bug in devel_0_39 on 2006.11.23. >> >> Sorry, I didn't see the part that it was just related to setuid. >> >> It would be very nice to have this bug fix as a patch in the tracker >> so that it can be included in pd-vanilla and pd-extended. >> >> .hc >> >> >>> >>> _ _ __ ___ _____ ________ _____________ _____________________ ... >>> | Mathieu Bouchard - t?l:+1.514.383.3801, Montr?al QC Canada >> >> >> --------------------------------------------------------------------- >> --- >> ---- >> >> Access to computers should be unlimited and total. - the hacker >> ethic >> >> >> >> _______________________________________________ >> [email protected] mailing list >> UNSUBSCRIBE and account-management -> http://lists.puredata.info/ >> listinfo/pd-list ------------------------------------------------------------------------ ---- ¡El pueblo unido jamás será vencido! _______________________________________________ [email protected] mailing list UNSUBSCRIBE and account-management -> http://lists.puredata.info/listinfo/pd-list
