-----BEGIN PGP SIGNED MESSAGE----- Format: 1.6 Date: Sun, 21 Jan 2001 23:02:21 -0500 Source: jazip Binary: jazip Architecture: source i386 Version: 0.33-1 Distribution: stable Urgency: high Maintainer: Peter S Galbraith <[EMAIL PROTECTED]> Description: jazip - mount and unmount Iomega Zip and/or Jaz drives. Closes: 82586 Changes: jazip (0.33-1) stable; urgency=high . * Close root exploit that can give root shell to members of floppy group. First, the interface doesn't run as root anymore. Upstream did this by partitioning off all the parts of the code that need root access between 'seteuid(0)' and 'seteuid(getuid())' calls. So now, even though the binary is suid root, the program runs as the normal user except at very specific times (when the device is being opened, mounted, etc.). This had the effect of removing the root exploit, but not the buffer overflow. As you might expect, the exploit still caused the prog to crash and run the shell, but the shell didn't run as root anymore. Second, upstream added a few lines at the beginning of main.c which does a sanity check on the DISPLAY environment. Basically it truncates it to 256 chars if it's bigger than that. This "fixed" the buffer overflow problem. (closes: #82586) Files: 57b8742ed708f0497382b7672cb65f60 691 contrib/utils optional jazip_0.33-1.dsc f9ff51cbf2c45191a7d67d1f528021bb 70874 contrib/utils optional jazip_0.33.orig.tar.gz 1fe4429042a36b08a18fecfe2e407ba8 11942 contrib/utils optional jazip_0.33-1.diff.gz d9c33aca7185dfa7c3c82563f5ce8948 125252 contrib/utils optional jazip_0.33-1_i386.deb
-----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBOmuxMLwVH8jSqROhAQFoqQP/ZSd5r9prfj5nwwamU5+AFNkX5Xe1AwBV PZSLir2G2rH9ltbpx+ZCnhFGGEdfnyuy+slh+WkZwPsXt8TUknMClGrZEKvQjOWx k/asmM3feeH19knRtCxIFjb2zjDswxvsywCPx/Y9Y+jX9k7SC4TcFSAfj+Qtt2Tt pWbx4H2/bxk= =DFbY -----END PGP SIGNATURE----- Installed: jazip_0.33.orig.tar.gz to pool/contrib/j/jazip/jazip_0.33.orig.tar.gz jazip_0.33-1.dsc to pool/contrib/j/jazip/jazip_0.33-1.dsc jazip_0.33-1.diff.gz to pool/contrib/j/jazip/jazip_0.33-1.diff.gz jazip_0.33-1_i386.deb to pool/contrib/j/jazip/jazip_0.33-1_i386.deb