Re: [SECURITY] [DSA 609-1] New atari800 packages fix local root exploit
Hi, "Tue, 14 Dec 2004 14:07:51 -0500", "Joey Hess" "Re: [SECURITY] [DSA 609-1] New atari800 packages fix local root exploit" >> For the unstable distribution (sid) these problems will be fixed soon. > >Actually, according to >http://marc.theaimsgroup.com/?l=bugtraq&m=110149441815270&w=2 upstream >version 1.3.2 in sid/sarge is not vulnerable. so, should fix wml file (and its translations). -- Regards, Hideki Yamanemailto:henrich @ iijmio-mail.jp -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 609-1] New atari800 packages fix local root exploit
On Tue, Dec 14, 2004 at 05:03:01PM +0100, Martin Schulze wrote: > > Adam Zabrocki discovered multiple buffer overflows in atari800, an > Atari emulator. In order to directly access graphics hardware, one of > the affected programs is installed setuid root. A local attacker > could exploit this vulnerability to gain root privileges. I wonder if we could have some sort of policy to prevent this kind of silly bugs. It doesn't make sense to use root privs for displaying graphics when we have priviledge separation layers like SDL and X. -- .''`. Proudly running Debian GNU/kFreeBSD unstable/unreleased (on UFS2+S) : :' : `. `'http://www.debian.org/ports/kfreebsd-gnu `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 609-1] New atari800 packages fix local root exploit
Martin Schulze píše v Út 14. 12. 2004 v 17:03 +0100: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - -- > Debian Security Advisory DSA 609-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Martin Schulze > December 14th, 2004 http://www.debian.org/security/faq > - -- > > Package: atari800 > Vulnerability : buffer overflows > Problem-Type : local > Debian-specific: no > CVE ID : CAN-2004-1076 > > Adam Zabrocki discovered multiple buffer overflows in atari800, an > Atari emulator. In order to directly access graphics hardware, one of > the affected programs is installed setuid root. A local attacker > could exploit this vulnerability to gain root privileges. > > For the stable distribution (woody) these problems have been fixed in > version 1.2.2-1woody3. > > For the unstable distribution (sid) these problems will be fixed soon. I got it fixed in Atari800 CVS. Guess it won't make you much happy. I know I should have made a proper release already. Petr -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 609-1] New atari800 packages fix local root exploit
Martin Schulze wrote: > For the stable distribution (woody) these problems have been fixed in > version 1.2.2-1woody3. > > For the unstable distribution (sid) these problems will be fixed soon. Actually, according to http://marc.theaimsgroup.com/?l=bugtraq&m=110149441815270&w=2 upstream version 1.3.2 in sid/sarge is not vulnerable. -- see shy jo signature.asc Description: Digital signature