I'm starving now, feeling dead on my feet
1st July 2007
Three, count them, three local root exploits discovered so far via the source scan of the Debian archive. More to follow.
- DSA-1326-1: fireflier-server
- DSA-1327-1: gsambad
- DSA-1328-1: unicon-imc2
- This is an interesting one because the library itself isn't setuid, but it is linked to by the setuid application zhcon.
- Which makes this exploit an instant root attack.
Right now my biggest irritation is the amount of time it takes to report bugs in packages which don't have security issues - just bad coding. It takes me a fair while to do it, since I either have to install the package and use "reportbug", or lookup version numbers and submit manually. I should think of a better way of doing it.