Re: [Full-Disclosure] [USN-45-1] nasm vulnerability
From: Martin Pitt (martin.pitt_at_canonical.com)
Date: 12/23/04
- Previous message: Martin Pitt: "[Full-Disclosure] [USN-49-1] debmake vulnerability"
- In reply to: Todd Towles: "RE: [Full-Disclosure] [USN-45-1] nasm vulnerability"
- Next in thread: Devdas Bhagat: "Re: [Full-Disclosure] [USN-45-1] nasm vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 23 Dec 2004 07:53:06 +0100 To: full-disclosure@lists.netsys.com
Hi Todd!
Todd Towles [2004-12-22 14:26 -0600]:
> So now, I just need to trick a user into running a malicious source file
> that I assembed and sent him, this makes it much harder.
Although I understand the irony in this, I still think that this is an
important issue. Running unknown programs _is_ a different thing than
merely compiling/assembling something. For example, Debian's and
Ubuntu's autobuilders compile and assemble code all the day, but the
compiled code is not actually ran there.
The key difference is just that by _running_ a program I expect it to
do something, whereas when I _assemble_ a source file, I do not expect
it to have any side effects (no system modification apart from writing
the output file.
> > -----Original Message-----
> > From: full-disclosure-bounces@lists.netsys.com
> > [mailto:full-disclosure-bounces@lists.netsys.com] On Behalf
> > Of Martin Pitt
> > Sent: Wednesday, December 22, 2004 4:53 AM
> > To: ubuntu-security-announce@lists.ubuntu.com
> > Cc: bugtraq@securityfocus.com; full-disclosure@lists.netsys.com
> > Subject: [Full-Disclosure] [USN-45-1] nasm vulnerability
> >
> > ===========================================================
> > Ubuntu Security Notice USN-45-1 December 22, 2004
> > nasm vulnerability
> > CAN-2004-1287
> > ===========================================================
> > [...]
Martin
-- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian GNU/Linux Developer http://www.debian.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- application/pgp-signature attachment: Digital signature
- Previous message: Martin Pitt: "[Full-Disclosure] [USN-49-1] debmake vulnerability"
- In reply to: Todd Towles: "RE: [Full-Disclosure] [USN-45-1] nasm vulnerability"
- Next in thread: Devdas Bhagat: "Re: [Full-Disclosure] [USN-45-1] nasm vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
