[PD] Pd-0.39.2-extended-rc4 released on ubuntu
Hans-Christoph Steiner
hans at eds.org
Thu Jul 12 22:59:47 CEST 2007
On Jul 12, 2007, at 3:18 PM, Mathieu Bouchard wrote:
> On Thu, 12 Jul 2007, pd-list-request at iem.at wrote:
>
>> would it be possible to add an option to ask the user if he wants
>> to chmod +s pd? some people told me it's dangerous. is it really?
>> pd is already a powerful (read dangerous) software with the objet
>> system, shell or netreceive...
>
> Last year I demonstrated that it is possible to make a very small
> external that gives root access to the whole pd process. This
> vulnerability only affects Miller's pd, including pd-0.41-0test04
> (which is the absolute latest). I have fixed that problem during
> devel_0_39 and carried it into the desiredata branch.
>
> This problem is largely theoretical so far, as it requires an
> external to play with the setuid/seteuid commands. I can't think of
> any external that does that, except the small test that I made for
> the purpose of verifying my claim.
>
> I haven't looked much for other possible breaches of root access.
This is only possible if you are running Pd as root, which is general
is not a good idea. If Pd is running as a different user, then you
wouldn't be able to gain root access.
.hc
>
> _ _ __ ___ _____ ________ _____________ _____________________ ...
> | Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC
> Canada_______________________________________________
> PD-list at iem.at mailing list
> UNSUBSCRIBE and account-management -> http://lists.puredata.info/
> listinfo/pd-list
------------------------------------------------------------------------
----
As we enjoy great advantages from inventions of others, we should be
glad of an opportunity to serve others by any invention of ours; and
this we should do freely and generously. - Benjamin Franklin
More information about the Pd-list
mailing list