[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Installed jazip 0.33-1 (i386 source)

-----BEGIN PGP SIGNED MESSAGE-----

Format: 1.6
Date: Sun, 21 Jan 2001 23:02:21 -0500
Source: jazip
Binary: jazip
Architecture: source i386
Version: 0.33-1
Distribution: stable
Urgency: high
Maintainer: Peter S Galbraith <psg@debian.org>
Description: 
 jazip      - mount and unmount Iomega Zip and/or Jaz drives.
Closes: 82586
Changes: 
 jazip (0.33-1) stable; urgency=high
 .
   * Close root exploit that can give root shell to members of floppy
     group.  First, the interface doesn't run as root anymore.  Upstream
     did this by partitioning off all the parts of the code that need
     root access between 'seteuid(0)' and 'seteuid(getuid())' calls.
     So now, even though the binary is suid root, the program runs as
     the normal user except at very specific times (when the device is
     being opened, mounted, etc.).  This had the effect of removing the
     root exploit, but not the buffer overflow.  As you might expect, the
     exploit still caused the prog to crash and run the shell, but the
     shell didn't run as root anymore.  Second, upstream added a few lines
     at the beginning of main.c which does a sanity check on the DISPLAY
     environment.  Basically it truncates it to 256 chars if it's bigger
     than that.  This "fixed" the buffer overflow problem.
     (closes: #82586)
Files: 
 57b8742ed708f0497382b7672cb65f60 691 contrib/utils optional jazip_0.33-1.dsc
 f9ff51cbf2c45191a7d67d1f528021bb 70874 contrib/utils optional jazip_0.33.orig.tar.gz
 1fe4429042a36b08a18fecfe2e407ba8 11942 contrib/utils optional jazip_0.33-1.diff.gz
 d9c33aca7185dfa7c3c82563f5ce8948 125252 contrib/utils optional jazip_0.33-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBOmuxMLwVH8jSqROhAQFoqQP/ZSd5r9prfj5nwwamU5+AFNkX5Xe1AwBV
PZSLir2G2rH9ltbpx+ZCnhFGGEdfnyuy+slh+WkZwPsXt8TUknMClGrZEKvQjOWx
k/asmM3feeH19knRtCxIFjb2zjDswxvsywCPx/Y9Y+jX9k7SC4TcFSAfj+Qtt2Tt
pWbx4H2/bxk=
=DFbY
-----END PGP SIGNATURE-----


Installed:
jazip_0.33.orig.tar.gz
  to pool/contrib/j/jazip/jazip_0.33.orig.tar.gz
jazip_0.33-1.dsc
  to pool/contrib/j/jazip/jazip_0.33-1.dsc
jazip_0.33-1.diff.gz
  to pool/contrib/j/jazip/jazip_0.33-1.diff.gz
jazip_0.33-1_i386.deb
  to pool/contrib/j/jazip/jazip_0.33-1_i386.deb
Reply to: