CAN-2005-0020 Erik Sj?lund discovered that playmidi, a MIDI player, contains a setuid root program with a buffer overflow that can be exploited by a local attacker.
Created attachment 48784 [details, diff] CAN-2005-0020.patch Patch yoinked from Debian's diff.
sound, please verify/apply patch.
in cvs. ready for GLSA.
AFAICT we don't have any of playmidi installed SUID root so this doesn't affect us. sound team, please confirm... In which case it's good to have the fixed version in portage but calling arch testing and GLSA is overkill.
-rwxr-xr-x 1 root root 51212 Jan 18 10:51 /usr/bin/gtkplaymidi -rwxr-xr-x 1 root root 46796 Jan 18 10:51 /usr/bin/playmidi -rwxr-xr-x 1 root root 41772 Jan 18 10:51 /usr/bin/splaymidi -rwxr-xr-x 1 root root 46988 Jan 18 10:51 /usr/bin/xplaymidi Our playmidi doesn't contain any SUID root program. This is not a vulnerability to us, even if it was a bug that it was better to fix.
