[PD] Pd-0.39.2-extended-rc4 released on ubuntu

Frank Barknecht fbar at footils.org
Fri Jul 13 00:52:05 CEST 2007

Hans-Christoph Steiner hat gesagt: // Hans-Christoph Steiner wrote:

> On Jul 12, 2007, at 3:18 PM, Mathieu Bouchard wrote:
> > Last year I demonstrated that it is possible to make a very small  
> > external that gives root access to the whole pd process. This  
> > vulnerability only affects Miller's pd, including pd-0.41-0test04  
> > (which is the absolute latest). I have fixed that problem during  
> > devel_0_39 and carried it into the desiredata branch.
> >
> > This problem is largely theoretical so far, as it requires an  
> > external to play with the setuid/seteuid commands. I can't think of  
> > any external that does that, except the small test that I made for  
> > the purpose of verifying my claim.
> >
> > I haven't looked much for other possible breaches of root access.
> This is only possible if you are running Pd as root, which is general  
> is not a good idea.  If Pd is running as a different user, then you  
> wouldn't be able to gain root access.

Matju can comment better, but AFAIR in my tests his external also
worked with a setuid root Pd started as a normal user. You can check
this with the code, it's somewhere in the bug tracker.

Anyways, making /usr/bin/pd setuid is not necessary anyway, as I wrote
in another mail.

 Frank Barknecht                 _ ______footils.org_ __goto10.org__

More information about the Pd-list mailing list