lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20041223065306.GB26820@box79162.elkhouse.de>
From: martin.pitt at canonical.com (Martin Pitt)
Subject: [USN-45-1] nasm vulnerability

Hi Todd!

Todd Towles [2004-12-22 14:26 -0600]:
> So now, I just need to trick a user into running a malicious source file
> that I assembed and sent him, this makes it much harder.

Although I understand the irony in this, I still think that this is an
important issue. Running unknown programs _is_ a different thing than
merely compiling/assembling something. For example, Debian's and
Ubuntu's autobuilders compile and assemble code all the day, but the
compiled code is not actually ran there.

The key difference is just that by _running_ a program I expect it to
do something, whereas when I _assemble_ a source file, I do not expect
it to have any side effects (no system modification apart from writing
the output file.

> > -----Original Message-----
> > From: full-disclosure-bounces@...ts.netsys.com 
> > [mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf 
> > Of Martin Pitt
> > Sent: Wednesday, December 22, 2004 4:53 AM
> > To: ubuntu-security-announce@...ts.ubuntu.com
> > Cc: bugtraq@...urityfocus.com; full-disclosure@...ts.netsys.com
> > Subject: [Full-Disclosure] [USN-45-1] nasm vulnerability
> > 
> > ===========================================================
> > Ubuntu Security Notice USN-45-1		  December 22, 2004
> > nasm vulnerability
> > CAN-2004-1287
> > ===========================================================
> > [...]

Martin

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041223/f9d67fe7/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ