[Full-Disclosure] [USN-45-1] nasm vulnerability
Martin Pitt
martin.pitt at canonical.com
Thu Dec 23 06:53:06 GMT 2004
Hi Todd!
Todd Towles [2004-12-22 14:26 -0600]:
> So now, I just need to trick a user into running a malicious source file
> that I assembed and sent him, this makes it much harder.
Although I understand the irony in this, I still think that this is an
important issue. Running unknown programs _is_ a different thing than
merely compiling/assembling something. For example, Debian's and
Ubuntu's autobuilders compile and assemble code all the day, but the
compiled code is not actually ran there.
The key difference is just that by _running_ a program I expect it to
do something, whereas when I _assemble_ a source file, I do not expect
it to have any side effects (no system modification apart from writing
the output file.
> > -----Original Message-----
> > From: full-disclosure-bounces at lists.netsys.com
> > [mailto:full-disclosure-bounces at lists.netsys.com] On Behalf
> > Of Martin Pitt
> > Sent: Wednesday, December 22, 2004 4:53 AM
> > To: ubuntu-security-announce at lists.ubuntu.com
> > Cc: bugtraq at securityfocus.com; full-disclosure at lists.netsys.com
> > Subject: [Full-Disclosure] [USN-45-1] nasm vulnerability
> >
> > ===========================================================
> > Ubuntu Security Notice USN-45-1 December 22, 2004
> > nasm vulnerability
> > CAN-2004-1287
> > ===========================================================
> > [...]
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041223/f9d67fe7/attachment.bin
Full-Disclosure is hosted and sponsored by Secunia.