Moin Stefan!

It seems the posting on bugtraq was a fake, there is no exploitable local 
root. However, there are plenty possibilities of local DoS attacks when 
realtime scheduling is allowed and enabled. 

The question is: Do we care ?

Will we enhance security of arts for KDE 3.0.3 / 3.1 ?

things like: 

- refuse to run as root, setuid to nobody then or similiar
- refuse to load player plugins from nonroot, different users
- fix the exploitable buffer overflows in arts

Should we recommend to disable realtime priority (i.e. remove the suid bit 
on artswrapper)?

Should we make the non-suid artswrapper the default ?

I'm preparing an advisory, so please reply ASAP :-)


Dirk

(Keep me on CC)
_______________________________________________
kde-multimedia mailing list
kde-multimedia@mail.kde.org
http://mail.kde.org/mailman/listinfo/kde-multimedia