That's what the mpeg formats are for, from roughly the same guys who brought you the jpeg format. Either the one, two or four version will be fairly portable.
This beetle imitates opals by stacking layers of hexagonally aligned nanospheres (250 nm in diameter) to reflect one wavelength (color). If I'm not mistaken that's a lot like those butterflies that have scales sized in the same range of hundreds of nanometers to appear blue without synthetizing any colored substance.
Reading the article I can't help but think of all the stellar systems around as archipels of islands spread in a huge ocean. The other islands near ours might be inhabited, too ? That's one more reason to start sending "smoke signals". Or perhaps the current electromagnetic madness we emit permanently might suffice ?
...because there is no need for a patch. Just open Directory Access and uncheck a box. If you insist for running a patch you might be able to make the process into an AppleScript.
I corrected this one, too. Get the fix at this place and move the corrected binary in the right place (/System/Library/Filesystems/ufs.fs/). I included the source code obviously, but you'll need the full diskdev package (plus dependant packages) from the Apple developer.apple.com website, to build it.
It is the strcat function that segfaults if handed a string over 255 chars, not the rest of the code. I agree that there should be more exact checks but as it is now the exploit is corrected. I'll change that now.
In fact the code should use strncpy and not use strcat in the first place...
myDeviceLength = strlen( argv[2] ); // Added check for lengths of myDeviceName over 255 chars; 16/12/2003 Namu if (( myDeviceLength < 2 ) || (myDeviceLength > 255)) { goto ExitThisRoutine; }
The tar.gz archive is just the same as the one from OpenDarwin, except for the fix in the code and the install.sh shell script that makes the utility, installs it under sudo, setuid's it and then cleans.
Get the fix with source code here, just double-click the install.sh script, it will make, copy and setuid the file at the correct location.
Somebody please test and review this !
/* Build our device name (full path), should end up with something like: */ /*/dev/disk1s2 */ strcpy( &myDeviceName[0], DEVICE_PREFIX ); strcat( &myDeviceName[0], argv[2] );
The strcat function fails with the huge devicename. DoVerifyArgs should check the length of argv[2] to be under 255 characters, but it only checks if it is longer than 2 characters:
/* Make sure device (argv[2]) is something reasonable */ myDeviceLength = strlen( argv[2] ); if ( myDeviceLength < 2 ) { goto ExitThisRoutine; }
While some people waste their time ranting about Max's comment on the quality of some non-BSD parts of OS X, about whether this is a serious exploit (hint: it is) or whether it is newsworthy (it is, too), does anybody has a fix to propose besides removing the setuid bit (which, according to my quick and totally inconclusive test, serves no purpose) ?
Someone who could well have fallen into this category this year but didn't make the list at all is SCO CEO Darl McBride. He has led his company's charge to get credit for what it claims is some of its code turning up in Linux. So far the row has taken the form of a lawsuit brought against IBM, headlines in the media and SCO invoicing some users for Linux roll outs.
However, when asked what happened when his company was served with a request to pay a SCO licence for Linux, panellist Ric Francis, Safeway's CIO, said: "I told them to stick it. At the end of the day it is never going to fly. It's the last dying breath of a company that is never going to make money."
I think the operations are tests to collect hard data about concentration and ability to perform. Instead of theorizing about how the longer day could affect the astronauts and possibly jeopardize basic Mars mission's operations, nothing beats a good old practical test.
I have a circadian cycle of 25 hours, which means I go to sleep one hour later every day and wake up one hour later. I have to "reset" every three or four days or I run into trouble with the rest of the world. It is tiring and I lose concentration all the time.
On inactive periods (typically holidays) I inevitably end up sleeping during the morning and cooking my dinner around 2-3 AM. When I'm completely "shifted half-way" it's quite annoying. Colleagues go to lunch when I go to bed. Where I live, there are no shops and supermarkets open from 8 PM to 9 AM. It's also quite hard to keep my birds on a 24 hours cycle. Believe me I'd rather live on Mars if it was possible.
And even earlier people said "we have more crops growing food than we would ever need to make it through winter comfortably, everyone has a horse for quick and cheap travel, and our priests are developping effective medicine. We pretty have much everything we need".
Or even earlier: "We have very effective lances and javelins for hunt, and our shamans know which plants are edible and how to repel bad spirits. We have pretty much everything we need."
Happiness is relative. And to think we are more developped than our ancestors because of technology is one of the biggest delusion of mankind. We still are the same primates we were ten thousand years ago.
I'll tell you what we don't have yet that I want: a space elevator, immortality in a vaccine, time-travel, unlimited energy, antigravity and faster than light travel. And of course more bandwidth. Once we got all that, there will be dreamers who'll find more things to wish for, don't worry.
But you forgot electrogravitic engines and free energy from zero-point. The technology for those has been around for up to 80 years, but we're only getting the theory behind them now.
Slashdot Mirror
actualy the most advanced aircraft in service anywhere in the world right now, since the F-22 and EF2000 are not in service yet
I thought that spot was taken by the Rafale...
That's what the mpeg formats are for, from roughly the same guys who brought you the jpeg format. Either the one, two or four version will be fairly portable.
This beetle imitates opals by stacking layers of hexagonally aligned nanospheres (250 nm in diameter) to reflect one wavelength (color). If I'm not mistaken that's a lot like those butterflies that have scales sized in the same range of hundreds of nanometers to appear blue without synthetizing any colored substance.
Reading the article I can't help but think of all the stellar systems around as archipels of islands spread in a huge ocean. The other islands near ours might be inhabited, too ? That's one more reason to start sending "smoke signals". Or perhaps the current electromagnetic madness we emit permanently might suffice ?
But that would make it a LOCAL exploit then, wouldn't it ? Or does your definition of "remote" means being _behind_ the keyboard ? ;)
...because there is no need for a patch. Just open Directory Access and uncheck a box. If you insist for running a patch you might be able to make the process into an AppleScript.
Happy ?
2 weeks ? Why wait ? Get the fix for this vulnerability, and another similar one freshly discovered, from here.
"User error: please change user."
This one has been known for a loooong time, under both "ID10T" and "PEBCAK" names.
I corrected this one, too. Get the fix at this place and move the corrected binary in the right place (/System/Library/Filesystems/ufs.fs/). I included the source code obviously, but you'll need the full diskdev package (plus dependant packages) from the Apple developer.apple.com website, to build it.
The 255 char limit of myDeviceName and myRawDeviceName strings is hardcoded anyway, but I agree this is not very elegant.
It is the strcat function that segfaults if handed a string over 255 chars, not the rest of the code. I agree that there should be more exact checks but as it is now the exploit is corrected. I'll change that now.
In fact the code should use strncpy and not use strcat in the first place...
Any user can run cd9660.util and that's probably why it is setuid.
Thank you for the info. I'll work on correcting that more thoroughly now.
The change is in the DoVerifyArgs function, from:
// Added check for lengths of myDeviceName over 255 chars; 16/12/2003 Namu
myDeviceLength = strlen( argv[2] );
if ( myDeviceLength < 2 )
{
goto ExitThisRoutine;
}
to:
myDeviceLength = strlen( argv[2] );
if (( myDeviceLength < 2 ) || (myDeviceLength > 255))
{
goto ExitThisRoutine;
}
The tar.gz archive is just the same as the one from OpenDarwin, except for the fix in the code and the install.sh shell script that makes the utility, installs it under sudo, setuid's it and then cleans.
And Macbidouille has a fix NOW. Gotta love OpenSource ;)
Get the fix with source code here, just double-click the install.sh script, it will make, copy and setuid the file at the correct location. Somebody please test and review this !
The error lies in the cd9660.util_main.m file from the isoutil package, specifically, right in the start of the main function:
/* Build our device name (full path), should end up with something like: */
/* /dev/disk1s2 */
if ( (myError = DoVerifyArgs( argc, argv, &mnt_flag )) != 0 )
goto AllDone;
strcpy( &myDeviceName[0], DEVICE_PREFIX );
strcat( &myDeviceName[0], argv[2] );
The strcat function fails with the huge devicename. DoVerifyArgs should check the length of argv[2] to be under 255 characters, but it only checks if it is longer than 2 characters:
/* Make sure device (argv[2]) is something reasonable */
myDeviceLength = strlen( argv[2] );
if ( myDeviceLength < 2 )
{
goto ExitThisRoutine;
}
I'll make a quick fix and test it.
While some people waste their time ranting about Max's comment on the quality of some non-BSD parts of OS X, about whether this is a serious exploit (hint: it is) or whether it is newsworthy (it is, too), does anybody has a fix to propose besides removing the setuid bit (which, according to my quick and totally inconclusive test, serves no purpose) ?
He was _supposed_ to make it into the Top 50 most powerful IT men list, but slightly before publication the editor came to his fscking senses:
News article about the 50 Most Powerful IT men check the Free Thinkers link
Someone who could well have fallen into this category this year but didn't make the list at all is SCO CEO Darl McBride. He has led his company's charge to get credit for what it claims is some of its code turning up in Linux. So far the row has taken the form of a lawsuit brought against IBM, headlines in the media and SCO invoicing some users for Linux roll outs.
However, when asked what happened when his company was served with a request to pay a SCO licence for Linux, panellist Ric Francis, Safeway's CIO, said: "I told them to stick it. At the end of the day it is never going to fly. It's the last dying breath of a company that is never going to make money."
"Never attribute to malice what can be explained by stupidity."
I think the operations are tests to collect hard data about concentration and ability to perform. Instead of theorizing about how the longer day could affect the astronauts and possibly jeopardize basic Mars mission's operations, nothing beats a good old practical test.
;)
Besides, some of us were meant to live on Mars
I have a circadian cycle of 25 hours, which means I go to sleep one hour later every day and wake up one hour later. I have to "reset" every three or four days or I run into trouble with the rest of the world. It is tiring and I lose concentration all the time.
On inactive periods (typically holidays) I inevitably end up sleeping during the morning and cooking my dinner around 2-3 AM. When I'm completely "shifted half-way" it's quite annoying. Colleagues go to lunch when I go to bed. Where I live, there are no shops and supermarkets open from 8 PM to 9 AM. It's also quite hard to keep my birds on a 24 hours cycle. Believe me I'd rather live on Mars if it was possible.
And Clement Ader beat Santos-Dumont to it. Don't believe the Wright hype either.
And even earlier people said "we have more crops growing food than we would ever need to make it through winter comfortably, everyone has a horse for quick and cheap travel, and our priests are developping effective medicine. We pretty have much everything we need".
Or even earlier: "We have very effective lances and javelins for hunt, and our shamans know which plants are edible and how to repel bad spirits. We have pretty much everything we need."
Happiness is relative. And to think we are more developped than our ancestors because of technology is one of the biggest delusion of mankind. We still are the same primates we were ten thousand years ago.
I'll tell you what we don't have yet that I want: a space elevator, immortality in a vaccine, time-travel, unlimited energy, antigravity and faster than light travel. And of course more bandwidth. Once we got all that, there will be dreamers who'll find more things to wish for, don't worry.
Practical immortality is getting damn close, I second that.
;)
But you forgot electrogravitic engines and free energy from zero-point. The technology for those has been around for up to 80 years, but we're only getting the theory behind them now.
Interesting times indeed