Steve Langasek wrote:
> > > This bug has been pending for more than two months and no fix in Debian
> > > yet... Does Bruno still track his bugs?
>
> > > Here is two patches for both Sarge and Sid versions.
>
> > > Pierre Riteau
>
> > > (CC'ing [EMAIL PROTECTED] for the stable fix, and the
> > > Co-Maintainer as I don't know if he receives BTS replies)
> > > (Email address in previous message for tagging is wrong, I was playing
> > > with bts thinking it wouldn't commit the changes)
>
> > Xmame is non-free and thus not supported by the Security Team.
> > (Only the relatively obscure -svgalib version is affected, anyway.)
>
> Is it the case that this bug doesn't affect the other frontends *at all*, or
> just that, not being suid root, it's just an arbitrary code execution bug
> instead of a root exploit?
It's a local vulnerability, the only security ramification would be a privilege
escalation:
x11 isn't setuid at all. -sdl has a strong debconf warning, that setuid
root is a risk (I guess it's used for DGA?) and the user can select it.
Only svgalib is setuid root, but a system running svgalib apps in the year
2006 is lost security-wise anyway. We should rather get rid of it completely
for Etch.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
