[squeak-dev] Security Vunerability in SqueakSource
Matthew Fulmer
tapplek at gmail.com
Mon Mar 21 02:24:32 UTC 2011
As demonstrated by the VMMaker team, SqueakSource has a rather
serious security vunerability:
http://bugs.squeak.org/view.php?id=7617
Below is the dialog that led to this discovery:
On Sun, Mar 20, 2011 at 11:26:20AM -0700, Eliot Miranda wrote:
> > > Hmm, wouldn't applying the default naming scheme prevent such
> > overwrites?
> > >
> > > That is, now there would be
> > > VMMaker-oscog-eem.52
> > > for Elliots version and
> > > VMMaker-oscog-IgorStasenko.52
> > > for Igors version.
> > > What would prevent us from that?
> > >
> > > I don't see a naming conflict. I've been using VMMaker-oscog.NN since
> > the beginning and Igor has been using VMMaker-oscog-IgorStasenko.NN. This
> > isn't about names, it's about content. Igor is miffed I didn't merge in
> > some changes he made when I published VMMaker-oscog.52, right Igor?
> > >
> >
> > No, youobviously accidentallyoverwrote his version of the 18th of March:
> >
>
> So how did Monticello allow me to do that? That's a /bad/ bug.
>
>
> >
> > >>>
> > Name: VMMaker-oscog.52
> > Author: IgorStasenko
> > Time: 18 March 2011, 12:45:14 am
> > UUID: a2810aac-4423-6740-b70e-7e821b979cb4
> > Ancestors: VMMaker-oscog-IgorStasenko.50,
> > VMMaker-oscog-EstebanLorenzano.50, VMMaker-oscog.51
> >
> > Merge with oscog-49-51 & Esteban-50
> > <<<<
> >
> > which has the same file name as yours:
> >
> > >>>
> > Name: VMMaker-oscog.52
> > Author: eem
> > Time: 20 March 2011, 9:31:20 am
> > UUID: 1241a856-8570-4725-a069-a6d3d8a8a222
> > Ancestors: VMMaker-oscog.51
> >
> > Fix primitiveFlushCacheByMethod for objects-as-methods.
> > <<<<
--
Matthew Fulmer (a.k.a. Tapple)
More information about the Squeak-dev
mailing list
|