Bugtraq mailing list archives
Environment variables (SECURITY: too many new packages)
From: alan () LXORGUK UKUU ORG UK (Alan Cox)
Date: Wed, 1 Jul 1998 00:42:10 +2500
Bugtraq readers who haven't been following the Linux security audit project (from whence most of the Red Hat fixes came - and other vendors will I assume be issuing identical updates) might like to take a look at how their own OS handles pointing the following at files only root can read and running setuid apps. (or setgid usage in some cases such as Mutt) TZ TERMINFO TERMCAP There are lots of files which when read do 'interesting' things, and termcap in paticular is fun because it tends to read the entire floppy/tape/memory etc before it gives up. This raises another related question. Has anyone ever tried to build the complete list of environment influenced file opens in not just libc but all the supporting libraries in unix systems ? A PS item btw: 2.0.35pre3 fixes the bug reported with SIGIO, and it should be out as 2.0.35 proper RSN - 2.0.35pre3 is a release candidate. We hadn't planned on a 2.0.35 release quite that soon but such is life. Alan
Current thread:
- Re: patch for qpopper remote exploit bug Steven Winikoff (Jun 28)
- <Possible follow-ups>
- Re: patch for qpopper remote exploit bug Ben Laurie (Jun 28)
- Re: patch for qpopper remote exploit bug Johan Danielsson (Jun 28)
- Re: patch for qpopper remote exploit bug Steven Winikoff (Jun 29)
- Re: patch for qpopper remote exploit bug Kev (Jun 29)
- Re: patch for qpopper remote exploit bug David DeSimone (Jun 30)
- SECURITY: too many new packages twiztah (Jun 30)
- Environment variables (SECURITY: too many new packages) Alan Cox (Jun 29)
- Qualcomm's qpopper 2.5 Aleph One (Jun 30)