[maemo-developers] [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
From: David Weinehall david.weinehall at nokia.comDate: Wed Oct 25 18:17:43 EEST 2006
- Previous message: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
- Next message: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On ons, 2006-10-25 at 16:01 +0100, ext Andrew Flegg wrote: > On 10/25/06, Marius Vollmer <marius.vollmer at nokia.com> wrote: > > > > this is embarrassing: there is a buffer overflow in the Application > > Manager that is triggered when dealing with package icons that are > > larger than 2048 bytes after base64 decoding. > > Oops. Thanks for the disclosure. > > > The bug is present in all versions of osso-appliction-manager less > > than 4.36, except 4.22.1. Version 4.36 will appear in Sardine > > soonish, and 4.22.1 will be in the next maintenance release of IT > > 2006. > > > [snip] > > This now brings the question of an end-user roadmap back to the fore > with a vengenance. To put it bluntly, how long is Nokia going to leave > end users vulnerable to possible attacks? When *is* the next maintenance > release of IT 2006? You know, IMO (not official Nokia policy) this isn't exactly a high risk security issue. To exploit, you need to install a package from an external, non-trusted source. Once you start installing non-trusted 3rd party applications, you're dead anyway. That said: we're a Debian based distribution, hence we follow the Debian release policy. We release when it's ready. Regards: David Weinehall
- Previous message: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
- Next message: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]