Bugtraq mailing list archives

Re: Solaris ff.core and wsinfo commands.

From: jco () bbn com (John C. Orthoefer)
Date: Tue, 06 Dec 1994 18:34:58 -0500

I haven't seen any _obvious_ ways that these could be dangerous for security,
but I'm naturally suspicious of any setuid/setgid program that crashes. Has
anyone got any further info on these programs?


I sent this to James already, but forgot to cc the list.

Patch 101889-01 says-

Keywords: ff.core security hole
Synopsis: OpenWindows 3.3: filemgr forked execuatble ff.core has a
security hole.
Date: Aug/30/94

Solaris Release: 2.3

SunOS Release: 5.3

Unbundled Product: OpenWindows

Unbundled Release: 3.3

BugId's fixed with this patch: 1171394

Files included with this patch: 

    /usr/openwin/bin/ff.core

Problem Description: 

    1171394 filemgr forked execuatble ff.core has a security hole.

johno
-
John Orthoefer   | Take this out and a Unix Demon will dog your steps from 
<jco () bbn com>    | now until the time_t's wrap around.
617-873-6188     |  -- Curse from the tunefs(8) man page source

Current thread:

letter bombs: enable-local-eval saves Emacs 19, (continued)
- - - letter bombs: enable-local-eval saves Emacs 19 Stephen Gildea (Dec 06)
    - Re: Virus's -- This is an Emacs bomb Robert Lau (Dec 06)
    - Re: Virus's -- This is an Emacs bomb Charles Howes (Dec 07)
  - good times nobody () c2 org (Dec 06)
- Re: Got this - not sure of authenticity. Better safe etc... Jason Matthews (Dec 06)
  - Re: Got this - not sure of authenticity. Better safe etc... Geir Inge Jensen (Dec 06)
    - Re: Got this - not sure of authenticity. Better safe etc... Jim Littlefield (Dec 06)
  - Re: Got this - not sure of authenticity. Better safe etc... Pat Myrto (Dec 06)
    - Re: Got this - not sure of authenticity. Better safe etc... John (Dec 06)
  - Solaris ff.core and wsinfo commands. Bonfield James (Dec 06)
    - Re: Solaris ff.core and wsinfo commands. John C. Orthoefer (Dec 06)
- Got this - not sure of authenticity. Better safe etc... Michael Covington (Dec 06)
- Re: Got this - not sure of authenticity. Better safe etc... Robert M. Haas (Dec 06)
- Re: Got this - not sure of authenticity. Better safe etc... Karyn Pichnarczyk (Dec 05)
- Re: Got this - not sure of authenticity. Better safe etc... Doug Hughes (Dec 06)
- Re: Got this - not sure of authenticity. Better safe etc... Richard Chycoski (Dec 06)
  - Re: Got this - not sure of authenticity. Better safe etc... Jason Matthews (Dec 06)
  - Re: Got this - not sure of authenticity. Better safe etc... Eric Kimminau (Dec 07)
- Re: Got this - not sure of authenticity. Better safe etc... Craig Presson (Dec 06)
- Re: Got this - not sure of authenticity. Better safe etc... Richard Chycoski (Dec 06)
- Re: Got this - not sure of authenticity. Better safe etc... Graham W. Mullier (Dec 07)

(Thread continues...)