Re: [USN-45-1] nasm vulnerability

[Martin Pitt <martin.pitt () canonical com>]

Hi Todd!

Todd Towles [2004-12-22 14:26 -0600]:
> So now, I just need to trick a user into running a malicious source file
> that I assembed and sent him, this makes it much harder.

Although I understand the irony in this, I still think that this is an
important issue. Running unknown programs _is_ a different thing than
merely compiling/assembling something. For example, Debian's and
Ubuntu's autobuilders compile and assemble code all the day, but the
compiled code is not actually ran there.

The key difference is just that by _running_ a program I expect it to
do something, whereas when I _assemble_ a source file, I do not expect
it to have any side effects (no system modification apart from writing
the output file.

> > -----Original Message-----
> > From: full-disclosure-bounces () lists netsys com 
> > [mailto:full-disclosure-bounces () lists netsys com] On Behalf 
> > Of Martin Pitt
> > Sent: Wednesday, December 22, 2004 4:53 AM
> > To: ubuntu-security-announce () lists ubuntu com
> > Cc: bugtraq () securityfocus com; full-disclosure () lists netsys com
> > Subject: [Full-disclosure] [USN-45-1] nasm vulnerability
> >
> > ===========================================================
> > Ubuntu Security Notice USN-45-1               December 22, 2004
> > nasm vulnerability
> > CAN-2004-1287
> > ===========================================================
> > [...]

Martin

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html