Re: cdrtools-2.01a22 ready

To: cdwrite@other.debian.org, hidden@paradise.net.nz
Subject: Re: cdrtools-2.01a22 ready
From: Joerg Schilling <schilling@fokus.fraunhofer.de>
Date: Mon, 29 Dec 2003 23:47:59 +0100 (CET)
Message-id: <200312292247.hBTMlxPB004925@burner.fokus.fraunhofer.de>

>From: Volker Kuhlmann <hidden@paradise.net.nz>

>> 	All recent SuSE distributions contain inofficial and modified versions
>> 	of cdrecord that are known to contain bugs and open new security holes.

>Can you be more specific about the bugs please? Or does that "contain
>bugs" simply refer to that they're not the latest alpha version?

Patches that don't follow the conceptional design of complex data structures
easily break functions that the author of the patch is not aware of.


>What "security holes" are you talking about?


I tought that I did already mention it.

SuSE implements a "device manager" deamon that opens device nodes for other
programs. This daemon is less secure than cdrecord/libscg as libscg 
does far more than a simple string compare/pattern matching on the device node
name.

Linux does not implement a device node system with a stable device <-> node 
relation. Libscg maps device node names to more stable bus/target/lun
values and is thus more secure than the simple system used by SuSE.

Jörg

-- 
 EMail:joerg@schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin
       js@cs.tu-berlin.de		(uni)  If you don't have iso-8859-1
       schilling@fokus.fraunhofer.de	(work) chars I am J"org Schilling
 URL:  http://www.fokus.fraunhofer.de/usr/schilling ftp://ftp.berlios.de/pub/schily

Reply to:

Follow-Ups:
- Re: cdrtools-2.01a22 ready
  - From: Volker Kuhlmann <hidden@paradise.net.nz>

Prev by Date: Re: cdrtools-2.01a22 ready
Next by Date: Re: cdrtools-2.01a22 ready
Previous by thread: Re: cdrtools-2.01a22 ready
Next by thread: Re: cdrtools-2.01a22 ready
Index(es):
- Date
- Thread