Bugtraq mailing list archives
Re: /bin/mail Security Hole
From: neil () legless demon co uk (Neil Woods)
Date: Sun, 27 Nov 1994 02:12:33 +0100 (GMT)
Above all, FIX THIS HOLE. As to 8lgm, I definitely supported you in the past, but turning to security through obscurity this late in the game is a turn for the worse. If you have written an exploit, make it public, or do NOT give it to anyone, not even your best friend's dog. There's a lesson to be learned that has been repeated throughout history: give out copies to only a few people, and the entire cracker community will get it. Let's see a little more "all or nothing" commitments from the security community.
Hi, we entirely agree, but if you recall we had some people who wanted us to change the way we gave out information, and move away from full disclosure. Both myself and Karl were committed 100% to doing it this way, we're trying to make as many people happy as we can. I can't defend the way we're going to have to do things now, I don't believe in it. So all you guys, Casper Dik etc etc will have to defend us 8). As for the binmail patch, we can't test it as we can't get a copy (I don't know if you remember, but we don't have a support contract.) If someone wants to mail us a copy, that'd be gr8. I verified the diff from Sun a few months back, which did indeed fix the tmp file and mailbox creation problems. I'd like to check the binary though 8). As you mentioned, many binmails have problems creating tmp files in a secure manner. You can look to any system based on sysV, and find exactly the same problem. Anyway, I'm going to book a room for the 8lgm binmail party tommorow, although it won't be a firm reservation until I've see the binary 8). Cheers, Neil -- Bull in the Heather, Me and My Charms, The Lights, Sensual World, Go, Ritual, Handsome and Gretel, Take Me, Blue Room, Drunken Butterfly, She's Lost Control. ...like a badger with an afro throwing sparklers at the Pope...
Current thread:
- /bin/mail Security Hole Nathan Lawson (Nov 26)
- Re: /bin/mail Security Hole Casper Dik (Nov 26)
- Re: /bin/mail Security Hole Neil Woods (Nov 26)
- [8lgm]-Advisory-8.UNIX.SunOS-kernel.11-Nov-1994 [8LGM] Security Team (Nov 27)
- [8lgm]-Advisory-9.UNIX.urestore.10-Feb-1993 [8LGM] Security Team (Nov 27)
- [8lgm]-Advisory-13.UNIX.SCO-login.15-Apr-1994 [8LGM] Security Team (Nov 27)