reopen 264055 = tag 264055 + sarge tag 264055 + security severity 264055 grave thanks
On Sun, Aug 08, 2004 at 08:20:44AM -0700, Robert Woodcock wrote: > I can reproduce this, although I'm pretty sure that we've already dropped > privileges by this time. Any thoughts on the patch below? When the bug is hit, privileges are dropped, and this certainly is no root exploit. However, attackers will still try to steal your precious: the raw network sockets. The impact is less severe than a root exploit, but it remains a security issue, and should be fixed in the sarge version. I'm Cc'ing -release because mtr is frozen. With the version in unstable still suffering from occasional FTBFS problems, it's probably easiest to sneak in Josh's original patch against 0.58 via testing-proposed-updates. Pushing in 0.63 (or later) might be an option once the automake issue is resolved: The diff between 0.58 and 0.63 amounts to 10000 lines, but about 95 per cent of it is autogenerated stuff and whitespace changes. Regards, Daniel.
