There is a new debian based distro called Xandros making its way on to the market.I believe the developers from Corel Linux are on board with Xandros. It has at least one public beta and another
on the way and I know of at least one OS that uses it as its backend. I got a chance to play on a couple of Xandros based distros and came up with a few security issues. 

Due to some extremely sketchy wording on disclosure by one of the above mentioned distros I will refrence all distros in general as a "Xandros based flavor of linux". I can not verify that the
holes are shared in all flavors. 

The first issue I am going to disclose is in the setuid autorun binary. If this binary is called with the command line argument -c and any file name you are able to read the first line of that
file... for example /etc/shadow. 

exploit: autorun -c /etc/shadow 

Here is part of the response from the developer regarding only this issue... I just informed them of 6 others that I am aware of. 

---------- Author or Developers response ---------------- 

I have fixed the bug in autorun. There will be a new package posted 
for Xandros Desktop Beta 2. A fix for Beta 1 will not be provided as we 
are not supporting older beta releases in any way. Lindows.com has been 
notified as well, but we have yet to hear back from them. 

As soon as our QA department gives us the green light, a notice will be 
posted to the beta newsgroups and the new package will be posted on the 
ftp site. 
--------------------------------------------------------- 

http://www.snosoft.com 
-KF