[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#24011: x11ampg: x11amp is not DFSG-free, and should not be in contrib.

Manoj Srivastava <srivasta@datasync.com> writes:

>  (I personally
>  would not put such a package on my machine unless I absolutely had
>  to, just from a mistrust of binaries whose code is not open for a
>  security audit).

It's actually worse than that - the authors recommend that it is
installed setuid-root.  So does the program that gets run from the
postinst.  I've gotten it to seg fault with a contrived playlist,
which generaly means an exploitable buffer overflow exists.

I'm working out bug reports for these.

-- 
	 Carey Evans  http://home.clear.net.nz/pages/c.evans/

"[UNIX] appears to have the inside track on being the replacement for
  CP/M on the largest microcomputers (e.g. those based on 68000...)"


--  
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: