Re: Bug#24011: x11ampg: x11amp is not DFSG-free, and should not be in contrib.
Manoj Srivastava <srivasta@datasync.com> writes:
> (I personally
> would not put such a package on my machine unless I absolutely had
> to, just from a mistrust of binaries whose code is not open for a
> security audit).
It's actually worse than that - the authors recommend that it is
installed setuid-root. So does the program that gets run from the
postinst. I've gotten it to seg fault with a contrived playlist,
which generaly means an exploitable buffer overflow exists.
I'm working out bug reports for these.
--
Carey Evans http://home.clear.net.nz/pages/c.evans/
"[UNIX] appears to have the inside track on being the replacement for
CP/M on the largest microcomputers (e.g. those based on 68000...)"
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: