Re: Requesting unblocking of gxine
On 2007-01-08, Darren Salt <firstname.lastname@example.org> wrote:
> Could you allow gxine 0.5.8-2 into etch? Reason is that it fixes bug 405876,
> "segfault on startup with long HOME dir" (which is tagged important, but
> gxine is an optional package).
> This version also enables the watchdog code. I chose this over some locking
> bug fixes as the "safer" alternative (it was enabled in Ubuntu at my
> request); however, I consider both to be important. If you think that I
> should include these patches, I'll prepare 0.5.8-3 once 0.5.8-2 is in etch.
> gxine (0.5.8-2) unstable; urgency=high
> * SECURITY FIX (local exploit) (closes: #405876)
> This version fixes a potential buffer overflow in gxine's server
> component and in gxine_client. This overflow would occur were $HOME
> sufficiently long - 94 bytes or more would cause socket creation or
> connection failure, and 242 bytes or more would cause a segfault or
> possible arbitrary code execution.
But gxine isn't setuid or setgid?