Ingo.Saitz at stud.uni-hannover.de
Sun Dec 31 10:39:31 PST 2000
On Wed, Dec 27, 2000 at 11:47:41AM -0500, Kenneth C. Arnold wrote:
> ogg123 is _starting_ to get a few cleanups, but it's still wide open
> until proven otherwise. It would be interesting to see some shellcode
> for ogg123 though :) There have been reports that certain Vorbis files
> cause players to segfault, so there is something in libogg /
> libvorbis, but I wouldn't know if it's exploitable.
Hm, I think it is not a good idea to make any app using libao
setuid. You can easily select "wav" as output driver and
overwrite any file in the system with an useless wav file. Maybe
you can even make act it like an executeable on some OSes?
ogg123 -d wav -d file:/etc/nologin /dev/zero
Either you need to drop priviledges in libao - which may not be
preferable - or you need to disable wav output if suid. This can
get complicated when libao supports more output drivers (e.g.
aRts, pcm, ...).
DON'T MAKE OGG123 SUID!
Instead greate an "audio" group with write permissions on
/dev/dsp and add all users who should be able to play audio to
this group (and don't forget to logout/login after that).
A Happy New Year!
"Disclosed Source" programs mean software for which the source code is
available without confidential or trade secret restrictions and for which
the source code and object code are available for distribution without
--- >8 ----
List archives: http://www.xiph.org/archives/
Ogg project homepage: http://www.xiph.org/ogg/
To unsubscribe from this list, send a message to 'vorbis-dev-request at xiph.org'
containing only the word 'unsubscribe' in the body. No subject is needed.
Unsubscribe messages sent to the list will be ignored/filtered.
More information about the Vorbis-dev