artswrapper defanged
Matthias Welwarsky
matze at stud.fbi.fh-darmstadt.de
Fri Jul 19 07:55:52 BST 2002
On Friday 12 July 2002 01:27, Rik Hemsley wrote:
> I have modified arts/soundserver/Makefile.am to stop it installing
> artswrapper suid and also stop asking the user to do so themselves
> if it fails.
>
> I have also modified artswrapper.c to stop trying to raise its own
> priority, in case someone does make the binary suid.
>
> I made these changes as a temporary measure until the denial
> of service vulnerability is fixed.
Then you should keep in mind that just committing a patch does not make the
vulnerability go away. So, if you don't take any other action, this does not
help anybody, you just upset a few of your fellow developers.
It never helped to just fix the code. Vendors learn this the hard way, e.g.
Microsoft's IIS falling over by thousands for another wave of Nimda attacks,
even though a patch exists for years (virtually).
The whole purpose of artswrapper is to run artsd with realtime priority in a
safe manner. Realtime priority is something many people with crappy hardware
want because it helps them to get crackle-free sound.
What you _should_ have done is publish a security advice that tells people to
remove the suid bit of artswrapper. This has the same effect as patching the
feature away in the source: None. But it would have saved people a lot of
breath.
regards,
matze
--
Matthias Welwarsky
Fachschaft Informatik FH Darmstadt
Email: matze at stud.fbi.fh-darmstadt.de
"all software sucks equally, but some software is more equal"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
URL: <http://mail.kde.org/pipermail/kde-multimedia/attachments/20020719/07f79250/attachment.sig>
More information about the kde-multimedia
mailing list