Julien Cristau wrote:
> On Wed, Apr 4, 2007 at 17:11:44 +0200, Arnaud Giersch wrote:
>
> > Package: elinks
> > Version: 0.11.1-1.2
> > Severity: grave
> > Tags: security, patch
> >
> > Hi,
> >
> > Elinks loads untrusted gettext catalog from the relative directory
> > "../po/", and crashes (SIGSEGV) if the loaded file is corrupted.
>
> Hi,
>
> I prepared a NMU for this bug, patch attached. The patch simply
> disables the "feature" which lead to the opening of untrusted files.
>
> Security team, I'll prepare packages for sarge and etch, let me know if
> I can upload to {,old}stable-security.
I don't see evidence this allows code injection, please point me to the
code in question.
Even if, the attack vector would be far too obscure to make this relevant
in practice.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
