A new driver has been released. This is just a maintenance release to correct a vulnerability that was found in modem_run (part of the speedtouch driver) by Max Vozeler <[EMAIL PROTECTED]>.
In fact, modem_run, pppoa2 and pppoa3 were using syslog() in a wrong way. Strings containing %s (for instance) could be passed to syslog() and used by malicious users to make buffer overflow. Since modem_run is installed setuid on Debian system, there was a security risk. The ID CAN-2004-0834 has been assigned to this vulnerability (See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0834). It is available at : http://sourceforge.net/project/showfiles.php?group_id=32758&package_id=28264&release_id=271734 The speedtouch website will be updated at: http://speedtouch.sourceforge.net/ Benoit PAPILLAULT Liste de diffusion modem ALCATEL SpeedTouch USB Pour se désinscrire : mailto:[EMAIL PROTECTED]