Hi, I''ve just uploaded pulseaudio 0.9.9-1 to unstable. This fixes CVE-2008-0008, pulseaudio didn''t check the return codes of setuid, which potentially made it possible for a user to prevent it from dropping permissions. While 0.9.9 is a new upstream release, but the only change since the 0.9.8 is the security fix. So i opted for just uploading the new release instead of adding an extra patch. Sjoerd -- In order to discover who you are, first learn who everybody else is; you''re what''s left.
On Thursday 24 January 2008 13:31, Sjoerd Simons wrote:> ? I''ve just uploaded pulseaudio 0.9.9-1 to unstable. This fixes > CVE-2008-0008, pulseaudio didn''t check the return codes of setuid, which > potentially made it possible for a user to prevent it from dropping > permissions. > > ? While 0.9.9 is a new upstream release, but the only change since the > 0.9.8 is the security fix. So i opted for just uploading the new release > instead of adding an extra patch.Thanks, noted. Thijs -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080124/f82e5b79/attachment.pgp
Hi Sjoerd, * Sjoerd Simons <sjoerd at luon.net> [2008-01-24 13:54]:> I''ve just uploaded pulseaudio 0.9.9-1 to unstable. This fixes CVE-2008-0008, > pulseaudio didn''t check the return codes of setuid, which potentially made it > possible for a user to prevent it from dropping permissions.[...] Thijs already marked this as fixed in svn. Anyway, just wanted to say thanks, there are not many maintainers who come and notice us an such cases. Kepp up this work! Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080125/9468ed27/attachment.pgp