Re: Seeking sponsors for 3 packages

[Ken Bloom <kabloom@ucdavis.edu>]

On Wed, 18 Aug 2004 01:45:07 -0700, Steve Langasek wrote:
<snip previous discussions>
> Do we really want to be adding to the number of svgalib-based programs in
> the archive?  Surely this isn't the only security problem lurking...

It's a very simple bug to fix, and documented right in the vga_init
manpage. Here's the fix:

svp (0.2-4) unstable; urgency=low

  * Fixed a security bug where a user could run an arbitrary program 
    named gs with root privelages.
     - Moved vga_init() to be the first command called, as vga_init() drops
       privelages. If the usage message gets printed, this will print 
       out a bit of cruft first, but it's worth it for security, right?
     - Hardcoded the path to /usr/bin/gs. Things will break if gs moves,
       but its much more likely to change name than move and the name was
       already hardcoded, so what am I worried about?

 -- Ken Bloom <kabloom@ucdavis.edu>  Wed, 18 Aug 2004 15:56:26 -0700

And the fixed package is up on the site I mentioned.

-- 
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
My key was last signed 08/17/2004. If you use GPG *please* see me about 
signing the key. ***** My computer can't give you viruses by email. ***