[sldev] Security Update 2008-10-06 to SL Viewers and sourcecode - CLARIFICATION

[Aidan Thornton]

On 10/8/08, Latif Khalifa <latifer at streamgrid.net> wrote:
> On Tue, Oct 7, 2008 at 11:18 PM, Henri Beauchamp <sldev at free.fr> wrote:
>> On Tue, 7 Oct 2008 12:22:56 -0500, Soft wrote:
>>
>>> On Tue, Oct 7, 2008 at 11:35 AM, Henri Beauchamp <sldev at free.fr> wrote:
>>> > .../...
>>> > Yet the sources and patches will not be published before LL publishes
>>> > their own sources.
>>>
>>> Thank you, Henri. It's okay to publish now.
>>>
>>> http://svn.secondlife.com/trac/linden/changeset/1283
>>
>> Ok, links to sources and patch published. The patch for v1.19.0.5 might
>> be of interest to others, so here is the direct link:
>> http://sldev.free.fr/patches/11905/slviewer-0-v11905-FileAccessSecurity.patch.bz2
>
> Has support UDPBlackListed flag from message template been added to
> that patch set? Its very important to include it too. I guess the
> patch is:
>
> http://svn.secondlife.com/trac/linden/changeset/1202

Hi,

Yep, that's important - it looks like the patch relevant to this
exploit. I think I actually spotted this issue myself a year or so
ago, but it looks like for some reason I never actually got around to
reporting it; probably because I didn't have the ability to fake
source addresses and therefore couldn't test it properly. (As soon as
the exploit was described, I guessed this was it.) Whoops - sorry
about that.

Aidan.