The issue isn't if %n works, but if %n is in writable memory: $ kdesudo echo "%x%x%n" *** %n in writable segment detected ***
Test programs to see this need to have writable memory, and be compiled -O2 (the default for kdesudo). It's also unimportant because there are no privileges yet when the expansion occurs. The output is being run as root, that's true, but again, the user must know the root password to have this happen, so there's no escalation of existing privileges. The case for user- assisted attacks is very unlikely. (Though perhaps I'm just being uncreative when it comes to %-expansions.) This is a bug, and needs to be fixed, though. I'll go poke the maintainer again. -- kdesudo crashed with SIGSEGV in strlen() https://bugs.launchpad.net/bugs/281877 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
