Its not s[ug]id anything on the three machines I just checked. Are you sure you didn't set that bit yourself?
Justin On Sat, Mar 05, 2005 at 02:15:46AM -0800, Chris Wedgwood wrote: > Package: mpg321 > Version: 0.2.10.3 > Severity: critical > Tags: security > > mpg312 is installed setuid root probably to do scheduler magic or > whatever (didn't check). Anyhow, this means you can invoke it using > "mpg321 -w /etc/passwd foo/mp3" or whatever. > > For now I would suggest we remove the suid bit (clearly this has > issues to, but those are less sever than being able to trash arbitrary > files as non-root). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
