[PD] Pd-0.39.2-extended-rc4 released on ubuntu

Mathieu Bouchard matju at artengine.ca
Thu Jul 12 21:18:40 CEST 2007

On Thu, 12 Jul 2007, pd-list-request at iem.at wrote:

> would it be possible to add an option to ask the user if he wants to 
> chmod +s pd? some people told me it's dangerous. is it really? pd is 
> already a powerful (read dangerous) software with the objet system, 
> shell or netreceive...

Last year I demonstrated that it is possible to make a very small external 
that gives root access to the whole pd process. This vulnerability only 
affects Miller's pd, including pd-0.41-0test04 (which is the absolute 
latest). I have fixed that problem during devel_0_39 and carried it into 
the desiredata branch.

This problem is largely theoretical so far, as it requires an external to 
play with the setuid/seteuid commands. I can't think of any external that 
does that, except the small test that I made for the purpose of verifying 
my claim.

I haven't looked much for other possible breaches of root access.

  _ _ __ ___ _____ ________ _____________ _____________________ ...
| Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC Canada

More information about the Pd-list mailing list