aaa_base still vulnerable after upgrade

[matthias.andree () GMX DE (Matthias Andree)]

* Marc Heuse (marc () suse de) [2000-04-29 16:28]:
> ______________________________________________________________________________
>
>                         SuSE Security Announcement
>
>         Package: aaabase < 2000.1.3
>         Date:    Sat, 29 Apr 2000 14:03:28 GMT
>
>         Affected SuSE versions: all
>         Vulnerability Type:     remove any local file(s)
>                                 executing attacker supplied commands as non-root

> 350cabc140a177dfa1909d356c982647  ftp://ftp.suse.com/pub/suse/i386/update/6.2/a1/aaa_base-99.9.8-0.i386.rpm

Note that after applying this non-fix, SuSE 6.2 remains vulnerable (as
it's not an update and the 99.9.8 version _IS_ vulnerable).

Isn't it embarrassing to announce fixes which don't even touch the
_vulnerable_ packages?

This is an offense against all paying and trusting clients and users.

It expresses that SuSE still are not familiar with security, and they
do not regularly audit their programs for security issues.

            rm -f $DEL_FILE
            DEL_DIR=`dirname $DEL_FILE`
            if [ "$DEL_DIR" != "$TMP_DIR/." ] ; then
                rmdir $DEL_DIR 2> /dev/null
            fi

This expresses that the persons who wrote that script did not know what
they were doing and were totally unaware of files that contain spaces
or shell metacharacters in their names. Apart from that 2>/dev/null
(they'd better fixed the script than the symptoms), how about these
nice time bomb (try rebooting the machine after MAX_DAYS_IN_TMP days!):

touch "/tmp/x /etc/rc.config"

Better set MAX_DAYS_IN_TMP=0 in /etc/rc.config for now. Do it NOW.

--
Matthias Andree