On Tue, Sep 14, 2004 at 01:51:51PM +1200, Volker Kuhlmann wrote: > > > echo "cdr-exp.sh -- CDRecord local exploit ( Tested on > > > cdrecord-2.01-0.a27.2mdk + Mandrake10)" > > > I don't see how this is a bug in cdrecord. It's a bug in Mandrake, caused by > > shipping cdrecord setuid root. You could do the same thing with CVS (set > > CVS_RSH to /tmp/s) if your distribution was dumb enough to ship cvs setuid > > root, I would think, yet that wouldn't be a bug in CVS. > > The author of cdrecord obstinately argues that cdrecord must be > installed suid root, and is explicitly recommended. Especially SuSE, > who does not install cdrecord suid root, has taken a lot of flak over > this lately (investigate special SuSE copyright in versions 2.01a36 to > 40 or so). It also seems that kernel 2.6.8 has changes included which > make it impossible(?) not to run cdrecord suid root. Seems like a > downhill to me but I'm not really qualified to comment. This has been fixed later on at least. > In any case it would be inappropriate to call it a bug "in cdrecord" > when only testing the Mdk version, esp given the amount of patching > applied by Mdk. First test a vanilla cdrecord, then other distros. SUSE is btw not affected, since we have (as previously discussed), patched cdrecord. ;) Ciao, Marcus
Attachment:
pgp00011.pgp
Description: PGP signature