Bug#887348: steam:i386: execmod access is requested, security issue

James Cowgill jcowgill at debian.org
Mon Jan 15 14:15:40 UTC 2018


Hi,

On 15/01/18 11:18, Simon McVittie wrote:
> Control: tags -1 + wontfix
> 
> On Mon, 15 Jan 2018 at 21:47:32 +1100, Russell Coker wrote:
>> this should be fixed
> ...
>> recompiling
> 
> Sorry, we do not control the binaries that Valve
> use in Steam. You're welcome to take this upstream to
> https://github.com/ValveSoftware/steam-for-linux/issues/ if you believe
> the use of generic i386 binaries is a security problem.

> path="/home/rjc/.steam/ubuntu12_32/libavutil.so.55"

Arguably this is an ffmpeg bug. I expect you will find that this will
also happen if you try to run any program which uses ffmpeg on a machine
with Debian i386 and SELinux installed.

The lintian warning which usually occurs when you do this sort of thing
is overridden here:
https://sources.debian.org/src/ffmpeg/7:3.4.1-1/debian/libavutil55.lintian-overrides/

This happens because ffmpeg contains some i386 assembly routines which
intentionally use TEXTRELs in the name of performance. Maybe the code
should be reworked to be totally position independent. It would be
interesting to see the exact performance cost of enabling PIC for these
specific routines.

James

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20180115/e297b229/attachment.sig>


More information about the Pkg-games-devel mailing list