Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On 10/26/06, Mikhail Sobolev <[EMAIL PROTECTED]> wrote: [snip interesting points about bugfix releases] On Thu, Oct 26, 2006 at 06:20:02PM +0100, Andrew Flegg wrote: > [snip the rest, I think we can probably put that safely to bed] Pity. :-/ Well, if you insist: IMHO, I think the people participating from within Nokia with the external community (whether via mailing lists or IRC) is largely spot-on in terms of attitude, approach and helpfulness. Which makes the exceptions even more glaring. The development process issues about openness and discussion with the community about future plans have already been discussed, and not necessarily relevant to a "tone" discussion. Similarly for when questions go unanswered (but the "outstanding issues" post helps here). HTH, Andrew -- Andrew Flegg -- mailto:[EMAIL PROTECTED] | http://www.bleb.org/ ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On Thu, Oct 26, 2006 at 06:20:02PM +0100, Andrew Flegg wrote: > On 10/26/06, Mikhail Sobolev <[EMAIL PROTECTED]> wrote: > >On Wed, Oct 25, 2006 at 10:44:23PM +0100, Andrew Flegg wrote: > >> From a technical PoV, IT 2005 and IT 2006 have been completely > >> different, though: lots of minor releases to fix bugs in the former; > >> nothing like that with the latter - but there's Sardine instead. > >That's a very good point: we did not seem to produce any bugfix > >releases for IT 2006. > > It'd be interesting to see why you think this is. For example, is there an > internal perception that IT 2006 is just "more finished" than IT 2005, or > because efforts have been redirected into Sardine (and now Herring)? It's a good point because when we released IT2005 and then released a number of bugfix releases for it, we showed that every release would be followed by fixes. And when we released IT2006 no bugfix releases were made for quite some time. As for internal perception, this is a sensitive topic. What I can say for sure is that "more finished" and Sardine/Herring are not releated at all. As far as I understand (most likely Carlos would be a better person to comment on this): * Sardine is the latest and greatest * Herring is what is stabilized toward _next_ stable release I do not see how it relates with bugfixe releases, so Carlos is the best person to describe the whole cycle. > [snip the rest, I think we can probably put that safely to bed] Pity. :-/ Kind Regards, -- Misha signature.asc Description: Digital signature ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On 10/26/06, Mikhail Sobolev <[EMAIL PROTECTED]> wrote: On Wed, Oct 25, 2006 at 10:44:23PM +0100, Andrew Flegg wrote: > From a technical PoV, IT 2005 and IT 2006 have been completely > different, though: lots of minor releases to fix bugs in the former; > nothing like that with the latter - but there's Sardine instead. That's a very good point: we did not seem to produce any bugfix releases for IT 2006. It'd be interesting to see why you think this is. For example, is there an internal perception that IT 2006 is just "more finished" than IT 2005, or because efforts have been redirected into Sardine (and now Herring)? [snip the rest, I think we can probably put that safely to bed] Cheers, Andrew -- Andrew Flegg -- mailto:[EMAIL PROTECTED] | http://www.bleb.org/ ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
Hi Andrew On Wed, Oct 25, 2006 at 10:44:23PM +0100, Andrew Flegg wrote: > From a technical PoV, IT 2005 and IT 2006 have been completely > different, though: lots of minor releases to fix bugs in the former; > nothing like that with the latter - but there's Sardine instead. That's a very good point: we did not seem to produce any bugfix releases for IT 2006. > >> Either way, some professionalism would be nice. > >It's certainly a matter of definition :) Please do define it and we'll > >see if it's possible to follow your definition... > > Although I take your point, TBH, I've got better and more productive > things to do with my time than define English words and idioms. If > Nokia want to employ consultants on CRM and Assertiveness without > Aggression[1] that's their perogative. I'm sorry, I did not want to start any linguistic discussions. What I should have said is: Nokia has lots of practices and policies that have long history. Our product and everything that happens around it challenges (Nokia word :)) those practices and any changes won't take one day or even one year. From the other hand, open source projects and activities in general somehow imply certain expectations toward maemo and its components that we do not always can meet. :) So, returning to "professionalism" word, I'd say we act quite professionally from Nokia practices point of view, and we might look not exactly professional from other points, hence the "definition". You can help us by stating your expectations. > However, Clue #1: professionalism is not referring to customers > through an official channel as living in "twisted little world"s. This is clearly one of those :D Kind Regards, -- Misha signature.asc Description: Digital signature ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On 10/25/06, Mikhail Sobolev <[EMAIL PROTECTED]> wrote: On Wed, Oct 25, 2006 at 04:49:09PM +0100, Andrew Flegg wrote: > If Nokia's plans now solely consist of yearly releases (with no word as to > whether or not they cost money), the community'll probably want to start > thinking about forking whatever's present so that we're not dependent on > occasional, drip-fed releases from Nokia. I'm not sure where you got this idea of "yearly" releases. Nokia 770 with its software was released in November 2005. A major software upgrade for it was release in June 2006. That accounts for 8 months at most... Sorry, it was an exageration to make the point: without some concrete information from Nokia, we've no idea. (From a technical PoV, IT 2005 and IT 2006 have been completely different, though: lots of minor releases to fix bugs in the former; nothing like that with the latter - but there's Sardine instead) And despite David's flippant comment to read what Marius said as gospel - because it came from @nokia.com - Marius' later clarification that this was *not* to be taken as a promise underlines my question. > Either way, some professionalism would be nice. It's certainly a matter of definition :) Please do define it and we'll see if it's possible to follow your definition... Although I take your point, TBH, I've got better and more productive things to do with my time than define English words and idioms. If Nokia want to employ consultants on CRM and Assertiveness without Aggression[1] that's their perogative. However, Clue #1: professionalism is not referring to customers through an official channel as living in "twisted little world"s. Cheers, Andrew [1] http://www.creativeedgeuk.com/assertion.asp -- Andrew Flegg -- mailto:[EMAIL PROTECTED] | http://www.bleb.org/ ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On Wed, Oct 25, 2006 at 03:43:34PM -0500, Ian wrote: > >> Either way, some professionalism would be nice. > > It's certainly a matter of definition :) Please do define it and we'll > > see if it's possible to follow your definition... > >From http://en.wikipedia.org/wiki/Professional > > A professional provides a service in exchange for payment in accordance with > established protocols > for licensing, ethics, procedures, standards of service and > training/certification. > > so it seems professionalism is the act of doing the above. Since Nokia guys > are presumably getting > paid we just need to establish what are the 'established protocols' and we > are laughing ;) Hmmm... Wikipedia's an interesting idea. :) "Protocol" leads to instersting opportunities... :D That's gonna be interesting. :) -- Misha signature.asc Description: Digital signature ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
Ola, >> Either way, some professionalism would be nice. > It's certainly a matter of definition :) Please do define it and we'll > see if it's possible to follow your definition... >From http://en.wikipedia.org/wiki/Professional A professional provides a service in exchange for payment in accordance with established protocols for licensing, ethics, procedures, standards of service and training/certification. so it seems professionalism is the act of doing the above. Since Nokia guys are presumably getting paid we just need to establish what are the 'established protocols' and we are laughing ;) []'s Ian -- .''`. : :' : `. `'` `- Orgulhoso ser MetaRecicleiro http://blogs.metareciclagem.org/manaus http://ianlawrence.info ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On Wed, Oct 25, 2006 at 04:49:09PM +0100, Andrew Flegg wrote: > If Nokia's plans now solely consist of yearly releases (with no word as to > whether or not they cost money), the community'll probably want to start > thinking about forking whatever's present so that we're not dependent on > occasional, drip-fed releases from Nokia. I'm not sure where you got this idea of "yearly" releases. Nokia 770 with its software was released in November 2005. A major software upgrade for it was release in June 2006. That accounts for 8 months at most... > Either way, some professionalism would be nice. It's certainly a matter of definition :) Please do define it and we'll see if it's possible to follow your definition... -- Misha signature.asc Description: Digital signature ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On ons, 2006-10-25 at 19:54 +0300, ext David Weinehall wrote: > On ons, 2006-10-25 at 09:39 -0700, ext George Farris wrote: > > On Wed, 2006-25-10 at 18:57 +0300, David Weinehall wrote: > > > Most of the quirks have been twisted out now; > > > it's almost functional, and our legal department is checking it at the > > > moment. > > > > This has got to be the saddest statement of our society, the fact that > > the legal department has to check on it. A simple alarm function, for > > the love of god that sucks. "Yup we want to release a new clock but we > > have to check with the Lawyers first". "Oh yeah we realize the clock > > has been around for hundreds of years but.." > > It's quite a lot more than that. It's not only an alarm function, but > an entire event management framework. Oh, and I should add that the legal check is a routine done for all new components that we intend to open source. Not everything legal has to do with patents you know... The legal department makes sure there's no mentions of documentation we might have under NDA's, mentions of unreleased products, that all files contain proper copyright headers, license headers, that we use suitable licenses (to avoid incompatible license mixing), make sure there is no leaks of source code that isn't intended for release, etc. Some of these checks are stuff that everyone should do anyway; it's stuff that's routine check when creating any Debian package (the DFSG checks, etc). But of course in the corporate world everything needs to have a paper trail (well, it might be a digital trail these days, I'm not sure -- I'm not working for the legal department...), so everything takes a lot longer than in an open source project. There's also the need for proper maintenance plans etc. Regards: David ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On Wed, 2006-25-10 at 19:54 +0300, David Weinehall wrote: > On ons, 2006-10-25 at 09:39 -0700, ext George Farris wrote: > > On Wed, 2006-25-10 at 18:57 +0300, David Weinehall wrote: > > > Most of the quirks have been twisted out now; > > > it's almost functional, and our legal department is checking it at the > > > moment. > > > > This has got to be the saddest statement of our society, the fact that > > the legal department has to check on it. A simple alarm function, for > > the love of god that sucks. "Yup we want to release a new clock but we > > have to check with the Lawyers first". "Oh yeah we realize the clock > > has been around for hundreds of years but.." > > It's quite a lot more than that. It's not only an alarm function, but > an entire event management framework. Yes I realize it is far more than an alarm function and in no way meant to say that what you are creating is trivial, just that it's all been done before. Cheers ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On ons, 2006-10-25 at 09:39 -0700, ext George Farris wrote: > On Wed, 2006-25-10 at 18:57 +0300, David Weinehall wrote: > > Most of the quirks have been twisted out now; > > it's almost functional, and our legal department is checking it at the > > moment. > > This has got to be the saddest statement of our society, the fact that > the legal department has to check on it. A simple alarm function, for > the love of god that sucks. "Yup we want to release a new clock but we > have to check with the Lawyers first". "Oh yeah we realize the clock > has been around for hundreds of years but.." It's quite a lot more than that. It's not only an alarm function, but an entire event management framework. > "Ban Software Patents" is the only response I can think of. Totally agreed. Regards: David ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On Wed, 2006-25-10 at 18:57 +0300, David Weinehall wrote: > Most of the quirks have been twisted out now; > it's almost functional, and our legal department is checking it at the > moment. This has got to be the saddest statement of our society, the fact that the legal department has to check on it. A simple alarm function, for the love of god that sucks. "Yup we want to release a new clock but we have to check with the Lawyers first". "Oh yeah we realize the clock has been around for hundreds of years but.." "Ban Software Patents" is the only response I can think of. ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On ons, 2006-10-25 at 17:44 +0200, ext Koen Kooi wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > David Weinehall schreef: > > On ons, 2006-10-25 at 16:24 +0100, ext Andrew Flegg wrote: > >> On 10/25/06, Ian <[EMAIL PROTECTED]> wrote: > >>> maybe its more helpful to ask if there is anything we (the community) can > >>> do to help get it out of the door?? ... > >> That presupposes there *is* another official release planned. Until we know > >> that, how can we offer to help? > > > > If the fact that marius.volmer @ *** nokia.com *** wrote: > > > > "and 4.22.1 will be in the next maintenance release of IT 2006." > > doesn't indicated that another official release is planned from your > > point of view, you live in a very twisted world indeed. > > No, we are just used to people from nokia saying 'a' and doing 'b'. Remember > the clock > framework discussion? Uhm, no, but I do remember a discussion about an alarm framework, and it's still worked on. Most of the quirks have been twisted out now; it's almost functional, and our legal department is checking it at the moment. (Oh, actually, there is a clock framework too, but that's part of the kernel and has been accepted upstream to the best of my knowledge...) > And smartass replies from an @nokia.com address aren't creating a lot of > community > goodwill either. Well, smartass replies from @dominion.kabel.utwente.nl doesn't do much good either. Regards: David ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
"ext David Weinehall" <[EMAIL PROTECTED]> writes: > On ons, 2006-10-25 at 16:24 +0100, ext Andrew Flegg wrote: >> On 10/25/06, Ian <[EMAIL PROTECTED]> wrote: >> > >> > maybe its more helpful to ask if there is anything we (the community) can >> > do to help get it out of the door?? ... >> >> That presupposes there *is* another official release planned. Until we know >> that, how can we offer to help? > > If the fact that marius.volmer @ *** nokia.com *** wrote: > > "and 4.22.1 will be in the next maintenance release of IT 2006." > doesn't indicated that another official release is planned from your > point of view, you live in a very twisted world indeed. Well, plans change. You never know. I really should have said "will be in the next maintenance release of IT 2006, if there is one". This poor hacker here at least hopes that there will be one. ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On 10/25/06, David Weinehall <[EMAIL PROTECTED]> wrote: On ons, 2006-10-25 at 16:24 +0100, ext Andrew Flegg wrote: > On 10/25/06, Ian <[EMAIL PROTECTED]> wrote: > > > > maybe its more helpful to ask if there is anything we (the community) > > can do to help get it out of the door?? ... > > That presupposes there *is* another official release planned. Until we > know that, how can we offer to help? If the fact that marius.volmer @ *** nokia.com *** wrote: "and 4.22.1 will be in the next maintenance release of IT 2006." doesn't indicated that another official release is planned from your point of view, Apart from the fact there's lots of semantic wriggle room in "next maintenance release of IT 2006", until today all we knew of what *Nokia* were planning to do was: * Sardine. * Herring (through a mention of Carlos on #maemo) * IT 2007 mentioned in Bugzilla * A hint, through hearsay, about improved HWR from a trade show. * A reference to "updated OS" on Nokia's pages about the GPS stuff. If Nokia's plans now solely consist of yearly releases (with no word as to whether or not they cost money), the community'll probably want to start thinking about forking whatever's present so that we're not dependent on occasional, drip-fed releases from Nokia. If Nokia's plans include maintenance releases for IT 2006, is it really that unreasonable to ask when they'll be? you live in a very twisted world indeed. Perhaps, but I don't think that's relevant ;-) Nokia can't have it both ways: they're either open and sharing and can claim to release "when it's ready" (where "ready" is also defined by the community); or they're closed, proprietary and have paying customers (and potential customers) dependent on a roadmap. Either way, some professionalism would be nice. Cheers, Andrew -- Andrew Flegg -- mailto:[EMAIL PROTECTED] | http://www.bleb.org/ ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Weinehall schreef: > On ons, 2006-10-25 at 16:24 +0100, ext Andrew Flegg wrote: >> On 10/25/06, Ian <[EMAIL PROTECTED]> wrote: >>> maybe its more helpful to ask if there is anything we (the community) can >>> do to help get it out of the door?? ... >> That presupposes there *is* another official release planned. Until we know >> that, how can we offer to help? > > If the fact that marius.volmer @ *** nokia.com *** wrote: > > "and 4.22.1 will be in the next maintenance release of IT 2006." > doesn't indicated that another official release is planned from your > point of view, you live in a very twisted world indeed. No, we are just used to people from nokia saying 'a' and doing 'b'. Remember the clock framework discussion? And smartass replies from an @nokia.com address aren't creating a lot of community goodwill either. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFFP4Z4MkyGM64RGpERAjNeAJ4veZxwXqewuFiqj4wqhz/dfCkd8ACfXa68 jHbqgq9Fno3iOM7L1rx4QTw= =nOUD -END PGP SIGNATURE- ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On ons, 2006-10-25 at 16:30 +0100, ext Andrew Flegg wrote: > On 10/25/06, David Weinehall <[EMAIL PROTECTED]> wrote: > > > [snip] > > > > You know, IMO (not official Nokia policy) this isn't exactly a high risk > > security issue. To exploit, you need to install a package from an > > external, non-trusted source. Once you start installing non-trusted 3rd > > party applications, you're dead anyway. > > That's not what Marius said: > > > > The overflow happens when there is a repository in > > /etc/apt/sources.list that contains such a icon in one of its > > packages, or when you have installed a .deb file with such an icon. > > As such, it only requires someone to add a repository containing > MyEvilPackage (and then presumably look at the AM in such a way as to > display that package's icon). Well, it still is a low-level risk, since you have to add an untrusted repository to your repository-list. Regards: David ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On ons, 2006-10-25 at 16:24 +0100, ext Andrew Flegg wrote: > On 10/25/06, Ian <[EMAIL PROTECTED]> wrote: > > > > maybe its more helpful to ask if there is anything we (the community) can > > do to help get it out of the door?? ... > > That presupposes there *is* another official release planned. Until we know > that, how can we offer to help? If the fact that marius.volmer @ *** nokia.com *** wrote: "and 4.22.1 will be in the next maintenance release of IT 2006." doesn't indicated that another official release is planned from your point of view, you live in a very twisted world indeed. Regards: David ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On 10/25/06, David Weinehall <[EMAIL PROTECTED]> wrote: [snip] You know, IMO (not official Nokia policy) this isn't exactly a high risk security issue. To exploit, you need to install a package from an external, non-trusted source. Once you start installing non-trusted 3rd party applications, you're dead anyway. That's not what Marius said: The overflow happens when there is a repository in /etc/apt/sources.list that contains such a icon in one of its packages, or when you have installed a .deb file with such an icon. As such, it only requires someone to add a repository containing MyEvilPackage (and then presumably look at the AM in such a way as to display that package's icon). That said: we're a Debian based distribution, hence we follow the Debian release policy. We release when it's ready. As I said in reply to Ian, at the moment it's not even clear that another release *is* planned: as far as we know, the next release could be planned for 2008 on the Nokia 880, with a cutdown version available for 770 die-hards for the bargain basement price of 999EUR. Some clarity would, therefore, be very much appreciated. Cheers, Andrew -- Andrew Flegg -- mailto:[EMAIL PROTECTED] | http://www.bleb.org/ ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On 10/25/06, Ian <[EMAIL PROTECTED]> wrote: maybe its more helpful to ask if there is anything we (the community) can do to help get it out of the door?? ... That presupposes there *is* another official release planned. Until we know that, how can we offer to help? Cheers, Andrew -- Andrew Flegg -- mailto:[EMAIL PROTECTED] | http://www.bleb.org/ ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On ons, 2006-10-25 at 16:01 +0100, ext Andrew Flegg wrote: > On 10/25/06, Marius Vollmer <[EMAIL PROTECTED]> wrote: > > > > this is embarrassing: there is a buffer overflow in the Application > > Manager that is triggered when dealing with package icons that are > > larger than 2048 bytes after base64 decoding. > > Oops. Thanks for the disclosure. > > > The bug is present in all versions of osso-appliction-manager less > > than 4.36, except 4.22.1. Version 4.36 will appear in Sardine > > soonish, and 4.22.1 will be in the next maintenance release of IT > > 2006. > > > [snip] > > This now brings the question of an end-user roadmap back to the fore > with a vengenance. To put it bluntly, how long is Nokia going to leave > end users vulnerable to possible attacks? When *is* the next maintenance > release of IT 2006? You know, IMO (not official Nokia policy) this isn't exactly a high risk security issue. To exploit, you need to install a package from an external, non-trusted source. Once you start installing non-trusted 3rd party applications, you're dead anyway. That said: we're a Debian based distribution, hence we follow the Debian release policy. We release when it's ready. Regards: David Weinehall ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
Ola, > This now brings the question of an end-user roadmap back to the fore > with a vengenance. To put it bluntly, how long is Nokia going to leave > end users vulnerable to possible attacks? When *is* the next maintenance > release of IT 2006? maybe its more helpful to ask if there is anything we (the community) can do to help get it out of the door?? ... []'s -- Ian Lawrence http://ianlawrence.info Centre for Bioinformatics INSTITUTO NACIONAL DE PESQUISAS DA AMAZÔNIA-INPA RUA ANDRÉ ARAÚJO N º .2936 , BAIRRO DO ALEIXO MANAUS-AMAZONAS-BRAZIL Research Program in Biodiversity http://ppbio.inpa.gov.br PHONE: 055-92-3643-3358 CEP. 69011 -970 | Please do not send me documents in a closed | format.(*.doc,*.xls,*.ppt) | Use the open alternatives. (*.pdf,*.html,*.txt) http://www.gnu.org/philosophy/no-word-attachments.html >>> return [type for type in types if type not in types_to_exclude] If you can see the beauty, then Python got you ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On 10/25/06, Marius Vollmer <[EMAIL PROTECTED]> wrote: this is embarrassing: there is a buffer overflow in the Application Manager that is triggered when dealing with package icons that are larger than 2048 bytes after base64 decoding. Oops. Thanks for the disclosure. The bug is present in all versions of osso-appliction-manager less than 4.36, except 4.22.1. Version 4.36 will appear in Sardine soonish, and 4.22.1 will be in the next maintenance release of IT 2006. [snip] This now brings the question of an end-user roadmap back to the fore with a vengenance. To put it bluntly, how long is Nokia going to leave end users vulnerable to possible attacks? When *is* the next maintenance release of IT 2006? Cheers, Andrew -- Andrew Flegg -- mailto:[EMAIL PROTECTED] | http://www.bleb.org/ ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
[maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
Hi, this is embarrassing: there is a buffer overflow in the Application Manager that is triggered when dealing with package icons that are larger than 2048 bytes after base64 decoding. The overflow happens when there is a repository in /etc/apt/sources.list that contains such a icon in one of its packages, or when you have installed a .deb file with such an icon. The bug is present in all versions of osso-appliction-manager less than 4.36, except 4.22.1. Version 4.36 will appear in Sardine soonish, and 4.22.1 will be in the next maintenance release of IT 2006. The overfull does usually not result in a crash, tho. The icon will usually be treated as corrupted and the default icon will be shown. If you maintain a repository, it would be good to check the packages in it for icons that are too large. Also, it would be a good idea to reject packages whose icons are too large. You can use the attached script as a starting point. I will check the repositories listed on maemo.org. Limiting icons to 2k seems reasonable to me; almost all of them are smaller than that. So while this is a unfortunate situation, I don't think disallowing icons larger than 2k for packages that are meant for IT 2006 will be that bad. Sorry for the bad news, but please spread them. #! /bin/sh # Usage: check-icon-overflow DEB # # Checks whether the maemo icon in DEB triggers the buffer overflow in # the Application Manager. set -e if [ $# != 1 ]; then echo "usage: check-icon-overflow DEB" >&2 exit 2 fi size=`dpkg-deb -f "$1" Maemo-Icon-26 | base64-decode | wc -c` if [ "$size" -gt 2048 ]; then echo "Icon in $1 is larger than 2048 bytes." echo " Some versions of the Application Manager might crash" echo " when trying to handle it." exit 1 fi echo "(Icon of `basename $1` is $size bytes.)" exit 0 ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers