Re: [SECURITY] [DSA 609-1] New atari800 packages fix local root exploit

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 609-1] New atari800 packages fix local root exploit
From: Robert Millan <rmh@debian.org>
Date: Wed, 15 Dec 2004 01:03:19 +0100
Message-id: <[🔎] 20041215000319.GB8103@khazad.dyndns.org>
In-reply-to: <m1CeF8f-000pyOC@finlandia.Infodrom.North.DE>
References: <m1CeF8f-000pyOC@finlandia.Infodrom.North.DE>

On Tue, Dec 14, 2004 at 05:03:01PM +0100, Martin Schulze wrote:
> 
> Adam Zabrocki discovered multiple buffer overflows in atari800, an
> Atari emulator.  In order to directly access graphics hardware, one of
> the affected programs is installed setuid root.  A local attacker
> could exploit this vulnerability to gain root privileges.

I wonder if we could have some sort of policy to prevent this kind of silly
bugs.  It doesn't make sense to use root privs for displaying graphics when
we have priviledge separation layers like SDL and X.

-- 
 .''`.   Proudly running Debian GNU/kFreeBSD unstable/unreleased (on UFS2+S)
: :' :
`. `'    http://www.debian.org/ports/kfreebsd-gnu
  `-

Reply to:

Prev by Date: test
Next by Date: Masao Sugimoto/Nokubi Takatsugu
Previous by thread: Re: [SECURITY] [DSA 609-1] New atari800 packages fix local root exploit
Next by thread: Olivier PIANG-SIONG/UTI/IDF/DEPT/EDFGDF/FR est absent(e).
Index(es):
- Date
- Thread