[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: artswrapper defanged
From:       Matthias Welwarsky <matze () stud ! fbi ! fh-darmstadt ! de>
Date:       2002-07-19 6:55:52
[Download RAW message or body]


On Friday 12 July 2002 01:27, Rik Hemsley wrote:
> I have modified arts/soundserver/Makefile.am to stop it installing
> artswrapper suid and also stop asking the user to do so themselves
> if it fails.
>
> I have also modified artswrapper.c to stop trying to raise its own
> priority, in case someone does make the binary suid.
>
> I made these changes as a temporary measure until the denial
> of service vulnerability is fixed.

Then you should keep in mind that just committing a patch does not make the 
vulnerability go away. So, if you don't take any other action, this does not 
help anybody, you just upset a few of your fellow developers. 

It never helped to just fix the code. Vendors learn this the hard way, e.g. 
Microsoft's IIS falling over by thousands for another wave of Nimda attacks, 
even though a patch exists for years (virtually).

The whole purpose of artswrapper is to run artsd with realtime priority in a 
safe manner. Realtime priority is something many people with crappy hardware 
want because it helps them to get crackle-free sound.

What you _should_ have done is publish a security advice that tells people to 
remove the suid bit of artswrapper. This has the same effect as patching the 
feature away in the source: None. But it would have saved people a lot of 
breath.

regards,
	matze

-- 
Matthias Welwarsky
Fachschaft Informatik FH Darmstadt
Email: matze@stud.fbi.fh-darmstadt.de

"all software sucks equally, but some software is more equal"

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]