Installed jazip 0.33-1 (i386 source)
-----BEGIN PGP SIGNED MESSAGE-----
Format: 1.6
Date: Sun, 21 Jan 2001 23:02:21 -0500
Source: jazip
Binary: jazip
Architecture: source i386
Version: 0.33-1
Distribution: stable
Urgency: high
Maintainer: Peter S Galbraith <psg@debian.org>
Description:
jazip - mount and unmount Iomega Zip and/or Jaz drives.
Closes: 82586
Changes:
jazip (0.33-1) stable; urgency=high
.
* Close root exploit that can give root shell to members of floppy
group. First, the interface doesn't run as root anymore. Upstream
did this by partitioning off all the parts of the code that need
root access between 'seteuid(0)' and 'seteuid(getuid())' calls.
So now, even though the binary is suid root, the program runs as
the normal user except at very specific times (when the device is
being opened, mounted, etc.). This had the effect of removing the
root exploit, but not the buffer overflow. As you might expect, the
exploit still caused the prog to crash and run the shell, but the
shell didn't run as root anymore. Second, upstream added a few lines
at the beginning of main.c which does a sanity check on the DISPLAY
environment. Basically it truncates it to 256 chars if it's bigger
than that. This "fixed" the buffer overflow problem.
(closes: #82586)
Files:
57b8742ed708f0497382b7672cb65f60 691 contrib/utils optional jazip_0.33-1.dsc
f9ff51cbf2c45191a7d67d1f528021bb 70874 contrib/utils optional jazip_0.33.orig.tar.gz
1fe4429042a36b08a18fecfe2e407ba8 11942 contrib/utils optional jazip_0.33-1.diff.gz
d9c33aca7185dfa7c3c82563f5ce8948 125252 contrib/utils optional jazip_0.33-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBOmuxMLwVH8jSqROhAQFoqQP/ZSd5r9prfj5nwwamU5+AFNkX5Xe1AwBV
PZSLir2G2rH9ltbpx+ZCnhFGGEdfnyuy+slh+WkZwPsXt8TUknMClGrZEKvQjOWx
k/asmM3feeH19knRtCxIFjb2zjDswxvsywCPx/Y9Y+jX9k7SC4TcFSAfj+Qtt2Tt
pWbx4H2/bxk=
=DFbY
-----END PGP SIGNATURE-----
Installed:
jazip_0.33.orig.tar.gz
to pool/contrib/j/jazip/jazip_0.33.orig.tar.gz
jazip_0.33-1.dsc
to pool/contrib/j/jazip/jazip_0.33-1.dsc
jazip_0.33-1.diff.gz
to pool/contrib/j/jazip/jazip_0.33-1.diff.gz
jazip_0.33-1_i386.deb
to pool/contrib/j/jazip/jazip_0.33-1_i386.deb
Reply to: