mailing list archives
Re: [USN-45-1] nasm vulnerability
From: Martin Pitt <martin.pitt () canonical com>
Date: Thu, 23 Dec 2004 07:53:06 +0100
Todd Towles [2004-12-22 14:26 -0600]:
So now, I just need to trick a user into running a malicious source file
that I assembed and sent him, this makes it much harder.
Although I understand the irony in this, I still think that this is an
important issue. Running unknown programs _is_ a different thing than
merely compiling/assembling something. For example, Debian's and
Ubuntu's autobuilders compile and assemble code all the day, but the
compiled code is not actually ran there.
The key difference is just that by _running_ a program I expect it to
do something, whereas when I _assemble_ a source file, I do not expect
it to have any side effects (no system modification apart from writing
the output file.
From: full-disclosure-bounces () lists netsys com
[mailto:full-disclosure-bounces () lists netsys com] On Behalf
Of Martin Pitt
Sent: Wednesday, December 22, 2004 4:53 AM
To: ubuntu-security-announce () lists ubuntu com
Cc: bugtraq () securityfocus com; full-disclosure () lists netsys com
Subject: [Full-disclosure] [USN-45-1] nasm vulnerability
Ubuntu Security Notice USN-45-1 December 22, 2004
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org
Description: Digital signature
Full-Disclosure - We believe in it.