shAUD321.WAV and platform security
Bill Frantz
frantz@communities.com
Tue, 20 Apr 1999 14:38:37 -0700
First, you are using the wrong OS. :-) (I wonder when EROS will be ready
for prime time.) Linux might give you the same grief. You really need to
run your gsm player where it can only read from the .gsm file and "write"
to the speakers. Without write access to a directory, it won't be able to
leave "interesting" .wavs in strange directories.
BTW - I bet it is creating a .wav so it can hand it to the MICROS~1 sound
playing applications.
As a fig leaf, you can update your release procedures to only TAR files
with approved extensions. (e.g. .java, .class, .sh, .jar etc.)
At 01:13 PM 4/20/99 -0700, Mark S. Miller wrote:
>[I'm resending the following message to the E list because of the security
>issues it raises. --MarkM]
>
>
>Hi Tyler, shAUD321.WAV
>
>What, how'd that get in there? That's what I want to know.
>
>As you know, I get all my voice mail from the JFax service
>http://www.jfax.com as voice enclosures (of type *.gsm). For some reason,
>when I launch my gsm player from Eudora, it leaves *.WAV droppings in my C:\
>folder, which I then periodically clear out. For some even more unknown
>reason, it left this dropping in my e/src/bin directory, which then got
>packaged by my release-making procedure into all the tarballs I've uploaded
>to the usual place. It contains a message that is definitely not to be
>publicly broadcast. I caught this by accident and easily could have missed
>it. Since you're about to be unpacking and repacking these tarballs anyway,
>could you remove it? It seems to have gotten into all of them.
>
>
> Disturbed,
> --MarkM
>
>
>
>