Re: Seeking sponsors for 3 packages
On Wed, 18 Aug 2004 01:45:07 -0700, Steve Langasek wrote:
> On Wed, Aug 18, 2004 at 09:14:27AM +0100, Steve Kemp wrote:
>> On Tue, Aug 17, 2004 at 06:32:30PM -0700, Ken Bloom wrote:
>
>> > The third was written by someone else, but it's very useful:
>> > Package: svp
>> > Version: 0.2-3
>> > Description: An SVGAlib based viewer for PostScript and PDF files
>> > svp is an SVGAlib based GhostScript frontend, allowing you to view
>> > PostScript and PDF files on your virtual consoles.
>
>> > All of my packages are at http://wwwcsif.cs.ucdavis.edu/~bloom/
>
>> I will sponsor this package when it has been fixed to avoid a local
>> root attack.
>
>> The binary is installed setuid(root), and contains the following
>> code:
>
>> snprintf(command, 255, "gs -dBATCH -dNOPAUSE -dSAFER -sDEVICE=nullpage \"%s\" 2>&1", filename);
>> f=popen(command, "r");
>
>> That is it invokes a copy of 'gs' without dropping root privileges and
>> without specifying the path to gs. This allows a local user to setup
>> a trojan gs command and use it to gain root...
>
>> Appropriate solutions could be forking and dropping privileges
>> temporarily, dropping the +s bit, or something else.
>
> Do we really want to be adding to the number of svgalib-based programs
> in the archive? Surely this isn't the only security problem lurking...
So perhaps nobody's interested in another SVGAlib program, especially
seeing another program that does the same thing (Which I hadn't been aware
of). But is anybody interested in helping me with zmanim and qtzmanim?
--
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
My key was last signed 08/18/2004. If you use GPG *please* see me about
signing the key. ***** My computer can't give you viruses by email. ***
Reply to: