[maemo-developers] [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories

From: Andrew Flegg andrew at bleb.org
Date: Wed Oct 25 18:30:45 EEST 2006
On 10/25/06, David Weinehall <david.weinehall at nokia.com> wrote:
> You know, IMO (not official Nokia policy) this isn't exactly a high risk
> security issue.  To exploit, you need to install a package from an
> external, non-trusted source.  Once you start installing non-trusted 3rd
> party applications, you're dead anyway.

That's not what Marius said:
> The overflow happens when there is a repository in
> /etc/apt/sources.list that contains such a icon in one of its
> packages, or when you have installed a .deb file with such an icon.

As such, it only requires someone to add a repository containing
MyEvilPackage (and then presumably look at the AM in such a way as to
display that package's icon).

> That said: we're a Debian based distribution, hence we follow the Debian
> release policy.  We release when it's ready.

As I said in reply to Ian, at the moment it's not even clear that another
release *is* planned: as far as we know, the next release could be planned
for 2008 on the Nokia 880, with a cutdown version available for 770
die-hards for the bargain basement price of 999EUR.

Some clarity would, therefore, be very much appreciated.



Andrew Flegg -- mailto:andrew at bleb.org  |  http://www.bleb.org/

More information about the maemo-developers mailing list