[vdr] vdr, vdradmin 0.96: security bugs?

To: vdr@linuxtv.org
Subject: [vdr] vdr, vdradmin 0.96: security bugs?
From: Darren Salt <linux@youmustbejoking.demon.co.uk>
Date: Thu, 30 Dec 2004 00:08:04 +0000
Content-type: text/plain; charset=us-ascii
List-help: <mailto:ecartis@linuxtv.org?subject=help>
List-id: vdr <vdr.mail>
List-owner: <mailto:listmaster@convergence.de>
List-post: <mailto:vdr@linuxtv.org>
List-software: Ecartis version 1.0.0
List-subscribe: <mailto:ecartis@linuxtv.org?subject=subscribe%20vdr>
List-unsubscribe: <mailto:ecartis@linuxtv.org?subject=unsubscribe%20vdr>
Reply-to: vdr@linuxtv.org
Sender: vdr-bounce@linuxtv.org
User-agent: Messenger-Pro/3.03b4 (MsgServe/2.16) (RISC-OS/4.02) POPstar/2.06-ds.3

I've just come across a Debian bug report which describes insecure use of
temporary files in vdradmin 0.96 - see <URL:http://bugs.debian.org/287601>
(patch available). It looks like a root-only problem, so those of you who are
using my packages (or are otherwise running vdr as non-root) shouldn't be
affected.

There's also comment on a lack of checks in vdr to defend against things such
as symlink attacks, although these are presumably referring to 1.2.6. I've
not looked for myself.

-- 
| Darren Salt | nr. Ashington, | d youmustbejoking,demon,co,uk
| Debian,     | Northumberland | s zap,tartarus,org
| RISC OS     | Toon Army      | @
|   We've got Shearer, you haven't

If it isn't broken, break it then charge for repair.

Prev by Date: [vdr] Re: Bug#287428: using DVB-T Nova "Budget" card - vdr fails to detect /dev/video0
Next by Date: [vdr] Re: How to name the audio tracks?
Previous by thread: [vdr] Re: Bug#287428: using DVB-T Nova "Budget" card - vdr fails to detect /dev/video0
Next by thread: [vdr] OF: How to get optical out from nexus-s dvd card.
Index(es):
- Date
- Thread

Home | Main Index | Thread Index