[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-multimedia
Subject: Re: aRts < 1.0.3 local root exploit
From: Dirk Mueller <mueller () kde ! org>
Date: 2002-07-08 12:16:59
[Download RAW message or body]
Moin Stefan!
It seems the posting on bugtraq was a fake, there is no exploitable local
root. However, there are plenty possibilities of local DoS attacks when
realtime scheduling is allowed and enabled.
The question is: Do we care ?
Will we enhance security of arts for KDE 3.0.3 / 3.1 ?
things like:
- refuse to run as root, setuid to nobody then or similiar
- refuse to load player plugins from nonroot, different users
- fix the exploitable buffer overflows in arts
Should we recommend to disable realtime priority (i.e. remove the suid bit
on artswrapper)?
Should we make the non-suid artswrapper the default ?
I'm preparing an advisory, so please reply ASAP :-)
Dirk
(Keep me on CC)
_______________________________________________
kde-multimedia mailing list
kde-multimedia@mail.kde.org
http://mail.kde.org/mailman/listinfo/kde-multimedia
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic