Hi Helmut,
* Helmut Grohne [EMAIL PROTECTED] [2008-04-13 00:36]:
From the source code:
[...]
309 void set_user_id(void)
310 {
311 seteuid(user_id);
312 }
So why do you think it does not drop setuid root, the code does?
You are right in that it drops
Package: acon
Version: 1.0.5-5
Severity: critical
Tags: security
Justification: root security hole
The package has a setuid binary acon. The binary never drops setuid. The
source code contains the following lines: (acon.c)
char tmp[300];
...
if((env=getenv(HOME)))
Hi Helmut,
* Helmut Grohne [EMAIL PROTECTED] [2008-04-12 17:47]:
The package has a setuid binary acon. The binary never drops setuid.
[...]
From the source code:
35 int main(int argc,char **argv)
36 {
37 int i,tty,useunicode=0;
38 char
Hello,
Actually patch 05_setuid.dpatch that was introduced in 1.0.5-2
comments the line:
311 seteuid(user_id);
which is the line to drop setuid root.
The reason was to fix a bug that made some control keys not to work
when 'acon' was run without sudo.
I will drop this
On Sat, Apr 12, 2008 at 19:15:45 +0200, أحمد المحمودي wrote:
Hello,
Actually patch 05_setuid.dpatch that was introduced in 1.0.5-2
comments the line:
311 seteuid(user_id);
which is the line to drop setuid root.
The reason was to fix a bug that made some control keys
On Sat, Apr 12, 2008 at 07:51:22PM +0200, Julien Cristau wrote:
On Sat, Apr 12, 2008 at 19:15:45 +0200, أحمد المحمودي wrote:
Hello,
Actually patch 05_setuid.dpatch that was introduced in 1.0.5-2
comments the line:
311 seteuid(user_id);
which is the line to drop
Hi Mohammed,
* Mohammed Sameer [EMAIL PROTECTED] [2008-04-12 22:14]:
On Sat, Apr 12, 2008 at 07:51:22PM +0200, Julien Cristau wrote:
On Sat, Apr 12, 2008 at 19:15:45 +0200, wrote:
[...]
So you're building a package with a setuid root binary, comment out the
call
From the source code:
35 int main(int argc,char **argv)
36 {
37 int i,tty,useunicode=0;
38 char *fontf=0,*translationf=0,*keymapf=0;
39
40 get_ids();
41 set_user_id();
...
301 int user_id;
302 int
So why do you think it does not drop setuid root, the code does?
$ cat debian/patches/05_setuid.diff
Index: acon-1.0.5/acon.c
Commented a statement that returns the user id to non-root. That made
some control keys to not work.
===
On Sat, Apr 12, 2008 at 11:08:46PM +0200, Nico Golde wrote:
Hi Mohammed,
* Mohammed Sameer [EMAIL PROTECTED] [2008-04-12 22:14]:
On Sat, Apr 12, 2008 at 07:51:22PM +0200, Julien Cristau wrote:
On Sat, Apr 12, 2008 at 19:15:45 +0200, wrote:
[...]
So you're
10 matches
Mail list logo
