Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: [USN-45-1] nasm vulnerability
From: Martin Pitt <martin.pitt () canonical com>
Date: Thu, 23 Dec 2004 07:53:06 +0100

Hi Todd!

Todd Towles [2004-12-22 14:26 -0600]:
So now, I just need to trick a user into running a malicious source file
that I assembed and sent him, this makes it much harder.

Although I understand the irony in this, I still think that this is an
important issue. Running unknown programs _is_ a different thing than
merely compiling/assembling something. For example, Debian's and
Ubuntu's autobuilders compile and assemble code all the day, but the
compiled code is not actually ran there.

The key difference is just that by _running_ a program I expect it to
do something, whereas when I _assemble_ a source file, I do not expect
it to have any side effects (no system modification apart from writing
the output file.

-----Original Message-----
From: full-disclosure-bounces () lists netsys com 
[mailto:full-disclosure-bounces () lists netsys com] On Behalf 
Of Martin Pitt
Sent: Wednesday, December 22, 2004 4:53 AM
To: ubuntu-security-announce () lists ubuntu com
Cc: bugtraq () securityfocus com; full-disclosure () lists netsys com
Subject: [Full-disclosure] [USN-45-1] nasm vulnerability

===========================================================
Ubuntu Security Notice USN-45-1               December 22, 2004
nasm vulnerability
CAN-2004-1287
===========================================================
[...]

Martin

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]