On Wed, 18 Aug 2004 01:45:07 -0700, Steve Langasek wrote:
<snip previous discussions>
> Do we really want to be adding to the number of svgalib-based programs in
> the archive? Surely this isn't the only security problem lurking...
It's a very simple bug to fix, and documented right in the vga_init
manpage. Here's the fix:
svp (0.2-4) unstable; urgency=low
* Fixed a security bug where a user could run an arbitrary program
named gs with root privelages.
- Moved vga_init() to be the first command called, as vga_init() drops
privelages. If the usage message gets printed, this will print
out a bit of cruft first, but it's worth it for security, right?
- Hardcoded the path to /usr/bin/gs. Things will break if gs moves,
but its much more likely to change name than move and the name was
already hardcoded, so what am I worried about?
-- Ken Bloom <[EMAIL PROTECTED]> Wed, 18 Aug 2004 15:56:26 -0700
And the fixed package is up on the site I mentioned.
--
I usually have a GPG digital signature included as an attachment.
See http://www.gnupg.org/ for info about these digital signatures.
My key was last signed 08/17/2004. If you use GPG *please* see me about
signing the key. ***** My computer can't give you viruses by email. ***
