On Tue, Oct 7, 2008 at 17:43:59 +0200, Thomas Viehmann wrote: > Please note that this is NOT about this specific overflow. I have found > it by grepping(!) through the code for string functions for 5 minutes. > acon needs to be completely redone before being remotely safe, > preferably in a way that is less likely to create all sorts of > vulnerabilities. > Note that this hole was unnoticed during an audit during which the > auditor came to the conclusion to not ship the code as it is likely that > there are more vulnerabilities than those he found. He was right. > I suggest removing this package from debian altogether. We shouldn't distribute setuid root binaries with lots of known bugs and poor code quality, IMO.
Cheers, Julien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
