<<< Date Index >>>     <<< Thread Index >>>

Re: DJB's students release 44 *nix software vulnerability advisories



>/bin/sh exists to run shell commands.  That is the purpose of the 
>shell.  NASM, on the other hand, is designed to create object files 
>from assembly files.  If NASM starts running arbitrary code on your 
>machine, it's doing something unauthorized.  That is a security hole.  
>By typing "nasm file.S" you are not intending to authorize the author 
>of file.S to take over your account, right?

What other purpose does NASM have other than to compile code
and then, implicitely, run it?

I could buy the argument for a webbrowser or a wordprocessor;
but a assembler or compiler?

>Also, could you please show me this shell script you speak of?  All the 
>shell scripts I know of that give me root access require me to type the 
>root password.   If you have found a way around this, then you are 
>correct, "every UNIX system on Earth has a remote hole". :)

Any script which exploits a local security hole would do.

>Setting buff[1023] to '\0' is a good idea, since vsnprintf won't do 
>that if vsprintf(buff, fmt, args) generates 1024 bytes.

You should have paid better attention in class.

Casper