[maemo-developers] [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories

From: David Weinehall david.weinehall at nokia.com
Date: Wed Oct 25 18:17:43 EEST 2006
On ons, 2006-10-25 at 16:01 +0100, ext Andrew Flegg wrote:
> On 10/25/06, Marius Vollmer <marius.vollmer at nokia.com> wrote:
> >
> > this is embarrassing: there is a buffer overflow in the Application
> > Manager that is triggered when dealing with package icons that are
> > larger than 2048 bytes after base64 decoding.
> Oops. Thanks for the disclosure.
> > The bug is present in all versions of osso-appliction-manager less
> > than 4.36, except 4.22.1.  Version 4.36 will appear in Sardine
> > soonish, and 4.22.1 will be in the next maintenance release of IT
> > 2006.
> >
> [snip]
> This now brings the question of an end-user roadmap back to the fore
> with a vengenance. To put it bluntly, how long is Nokia going to leave
> end users vulnerable to possible attacks? When *is* the next maintenance
> release of IT 2006?

You know, IMO (not official Nokia policy) this isn't exactly a high risk
security issue.  To exploit, you need to install a package from an
external, non-trusted source.  Once you start installing non-trusted 3rd
party applications, you're dead anyway.

That said: we're a Debian based distribution, hence we follow the Debian
release policy.  We release when it's ready.

Regards: David Weinehall

More information about the maemo-developers mailing list