Bug#887348: steam:i386: execmod access is requested, security issue
Simon McVittie
smcv at debian.org
Mon Jan 15 12:17:36 UTC 2018
On Mon, 15 Jan 2018 at 22:40:16 +1100, Russell Coker wrote:
> On Monday, 15 January 2018 11:18:42 AM AEDT Simon McVittie wrote:
> > Sorry, we do not control the binaries that Valve
> > use in Steam. You're welcome to take this upstream to
> > https://github.com/ValveSoftware/steam-for-linux/issues/ if you believe
> > the use of generic i386 binaries is a security problem.
>
> https://github.com/ValveSoftware/steam-for-linux/issues/5340
Thanks. That might be more likely to be addressed if there was a tl;dr
summary of the impact and solution that doesn't require reading blog
posts.
Impact: am I right in thinking that this is not in itself a security
vulnerability, but that if there is a separate security vulnerability
somewhere in Valve's binaries, having execmod access makes it
significantly easier for an attacker to turn that vulnerability into
arbitrary code execution, similar to an absence of the hardening measures
(stack protecter, PIC, etc.) that we're encouraged to use in packages
that are built from source?
Am I right in saying that replacing some or all of the i386 binaries
with x86_64 binaries would be sufficient? Or is there some simple thing
Valve could do with a general-purpose compiler (I think they use gcc/g++)
to get i386 binaries with the right magic flags?
(I don't know whether Valve would be willing to require x86_64 for Steam
- a lot of older games are only available as i386 binaries, and having
steam be an i386 package makes it a lot easier to pull in i386 multiarch
graphics drivers and other necessary libraries from the host system -
but it's worth asking.)
smcv
More information about the Pkg-games-devel
mailing list