Bugtraq mailing list archives

runpipe v1.2 with security hole fix

From: aleph1 () DFW NET (Aleph One)
Date: Tue, 11 Mar 1997 09:24:15 -0600


-----BEGIN PGP SIGNED MESSAGE-----


   The latest version of runpipe is available now from sunsite or my FTP
site.
   Runpipe is a daemon/client pair which watches a set of named pipes for
a read or write action on a pipe, and then executes a program on the
other end of the pipe. It is most commonly used to run a program on the
other end of the .plan pipe, so that when a person fingers the account,
the .plan "file" appears to contain the output of the program. This can
be used to make plan files which change whenever they're read, or which
deliver different messages depending on other information such as time of
day or whether or not the user is logged on.

   This release fixes a potentially serious security bug in the daemon
when run in system mode, and a potentially annoying behaviour when run in
paranoid mode. I strongly recommend that nobody who runs the daemon in
system mode run it with a version prior to 1.2.


   Here is the .lsm:

Begin3
Title:          Runpipe daemon and client
Version:        1.2
Entered-date:   March 10, 1997
Description:    A package which monitors named pipes and runs a process on
                the other end of the pipe when a read or write access is
                made to the pipe.
Keywords:       FIFO pipe plan
Author:         neufeld () physics utoronto ca (Christopher Neufeld)
Maintained-by:  neufeld () physics utoronto ca (Christopher Neufeld)
Primary-site:   caliban.physics.utoronto.ca /pub/linux
                17 kB runpipe-1.2.tar.gz
Alternate-site: sunsite.unc.edu /pub/Linux/system/daemons
Original-site:
Platform:
Copying-policy: GPL
End



- --
 Christopher Neufeld                   neufeld () physics utoronto ca
 Home page:  http://caliban.physics.utoronto.ca/neufeld/Intro.html
 "Don't edit reality for the sake of simplicity"


- --
This article has been digitally signed by the moderator, using PGP.
http://www.iki.fi/liw/lars-public-key.asc has PGP key for validating signature.
Send submissions for comp.os.linux.announce to: linux-announce () news ornl gov
PLEASE remember a short description of the software and the LOCATION.
This group is archived at http://www.iki.fi/liw/linux/cola.html

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBMyUje4QRll5MupLRAQFASwP+M+6F2gqdj+919o6LdEf/plACjfcfOxbJ
kRcWpRFE9UaQcWdhiPzE73nEDL/XV4RijANgBFyMEOYAYK7MyrdSpEZU+pE9uO/C
f+rlHUiSdjwUUaGJyqGMeWqXvzgkHEw2VcbxWbsv//PlZk3NypPHivcft7GAgIMq
tMQ9ShDocoE=
=JDFv
-----END PGP SIGNATURE-----

Current thread:

Re: Bug in connect() ? Frank Hofmann (Mar 07)
- Re: Bug in connect() ? Frank Hofmann (Mar 10)
- Lynx/MSIE denial-of-service Doctor Who (Mar 10)
  - Re: Lynx/MSIE denial-of-service Christopher Blizzard (Mar 10)
  - SGI Security Advisory 19970301-01-P - IRIX 5.x and 6.x fsdump Aleph One (Mar 10)
  - xterm segfaults from environment variables - too obvious David Luyer (Mar 10)
    - Secuirty Hole In Older Perl Installs... Ken Robson (Mar 11)
    - Re: xterm segfaults from environment variables - too obvious Alex Belits (Mar 11)
    - Division of Privilege (DoP) - Potential Security Vulnerability Aleph One (Mar 11)
    - runpipe v1.2 with security hole fix Aleph One (Mar 11)