Erik Sj
Erik Sjölund discovered that a buffer overflow in fliccd which is installed setuid root (at least on Debian/unstable) can be exploited quite easily and will probably allow arbitrary code to be executed. KDE has been notified.
It is also setuid root on Gentoo.
KDE, is it possible to fix the permissions in 2005.0 (and mention nothing else in the Changelog)?
Created attachment 49736 [details, diff] kstars-minimal.diff Here's a minimal patch to fix this vulnerability. Dirk will send the entire upstream patch later.
Carlo, caleb please advise on comment #2.
I can't test the patch until later this evening - it will need to be cleaned up to work in Gentoo, but shouldn't be a problem. If nobody gets to it first I'll go ahead and bump it - should be okay to just leave stable on all arches.
Waiting for new coordinated release date. KDE please be ready to patch.
New release date is February 15th
Hm, "nobody" is about to commit. What about the changelog - do I violate any stupid vendor sec agreements, if I write "buffer overflows in fliccd of kstars"?
carlo: since we are very close to disclosure date, I'd say you can commit with any comment you want.
Koon: Are you sure about "any comment"? ;) I'd like to know, how do we deal with this in general. Just "security bug, #1010101"? <<< kdeedu-3.3.2-r1.ebuild arch herds: would you please!?
Carlo: Confidential bugs shouldn't be disclosed at all. No CVS commit, no Changelog or whatever. Semi-public bugs can be committed to CVS, but with cryptic comments like "bug #101010". When we are at disclosure date, its OK to commit and comment. This bug should be open ASAP so that arch people can comment on it :)
Thx Carlo. Opening bug. Arches please test and mark stable.
Koon: O.k., even though I dislike this closed list approach at all, it makes sense in context. I bet I'm not the only one who is/wasn't sure about it. Maybe a good question for the become-a-developer quiz.
Carlo -- see the repeated flamewars on the gentoo-user list that come up every now and again when people get a ChangeLog entry telling them to access a restricted bug. Not pretty, but they tend to cover all the issues.
Upgrading severity. Remote root is apparently possible in certain configurations.
sparc stable.
stable on ppc64
Stable on alpha.
Marked stable on ppc by lu_zero.
stable on amd64
Thx everyone. GLSA 200502-23 ia64 and hppa please remember to mark stable.
Already stable on hppa