Package: mpg321 Version: 0.2.10.3 Severity: critical Tags: security mpg312 is installed setuid root probably to do scheduler magic or whatever (didn't check). Anyhow, this means you can invoke it using "mpg321 -w /etc/passwd foo/mp3" or whatever.
For now I would suggest we remove the suid bit (clearly this has issues to, but those are less sever than being able to trash arbitrary files as non-root). -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.11-rc4-cw Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages mpg321 depends on: ii libao2 0.8.5-1 Cross Platform Audio Output Librar ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libid3tag0 0.15.1b-4 ID3 tag reading library from the M ii libmad0 0.15.1b-1 MPEG audio decoder library ii zlib1g 1:1.2.2-4 compression library - runtime -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
