Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 31 Mar 2003 13:24:20 +0200
From:      Davide Lemma <davide.lemma@sito.it>
To:        ports@freebsd.org
Subject:   again... serious security hole in a port (dcgui/dclib)
Message-ID:  <20030331132420.0b94c5ae.davide.lemma@sito.it>

next in thread | raw e-mail | index | archive | help
Hello again... really frustated this will be my last attempt to try to commit a
fresh updated rebuild of a port with a really serious security hole.

The port is dcgui/dclib, as reported by original developer (i'm in the
developing team too), there is a high security hole in all versions of the
software prior to version 0.2.3.
This bug can compromise the whole system.
The software permits to share, with other similar clients, one or more
directories of the system. With all versions prior to 0.2.3 version is possible
due to a bug to see all the content of the whole filesystem and not just the
configured directories.

I've yet advised the official port's maintainer more than one month ago, but the
answer was that he was leaving the port maintainment. I've yet sent trought
send-pr the new diff files to update the port. Current version is 0.2.8, while
in the port tree there is yet 0.1.11beta version!! (one year and half older).

Hoping that with this advise will be taken soon a decision.
Most users don't know how can be dangerous this kind of bug and they can have
their system compromised so easy.

Thank in advance for attention.

Best regards, 
Davide Lemma

-- 
Davide Lemma >> Sistemi Informatici Torino >> www.sito.it

GPG Publick Key: http://www.sito.it/davidelemma_pubkey.txt
GPG FingerPrint: DC91 31EC 163C 24FE E0E2  6DC6 5580 F134 D4EB 694D



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030331132420.0b94c5ae.davide.lemma>