Re: Bug#24011: x11ampg: x11amp is not DFSG-free, and should not be in contrib.

[John Goerzen <jgoerzen@complete.org>]

I've already submitted a bug report about it, with a STRONG
reccommendation that postinst NOT reccommend setuid -- especially
since the documentation itself mentions that it may not be secure!

Carey Evans <c.evans@clear.net.nz> writes:

> Manoj Srivastava <srivasta@datasync.com> writes:
> 
> >  (I personally
> >  would not put such a package on my machine unless I absolutely had
> >  to, just from a mistrust of binaries whose code is not open for a
> >  security audit).
> 
> It's actually worse than that - the authors recommend that it is
> installed setuid-root.  So does the program that gets run from the
> postinst.  I've gotten it to seg fault with a contrived playlist,
> which generaly means an exploitable buffer overflow exists.
> 
> I'm working out bug reports for these.
> 
> -- 
> 	 Carey Evans  http://home.clear.net.nz/pages/c.evans/
> 
> "[UNIX] appears to have the inside track on being the replacement for
>   CP/M on the largest microcomputers (e.g. those based on 68000...)"
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
John Goerzen   Linux, Unix consulting & programming   jgoerzen@complete.org |
Developer, Debian GNU/Linux (Free powerful OS upgrade)       www.debian.org |
----------------------------------------------------------------------------+
Visit the Air Capitol Linux Users Group on the web at http://www.aclug.org


--  
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org