Bugtraq mailing list archives
Re: Advisory: mgetty local compromise
From: Gert Doering <gert () GREENIE MUC DE>
Date: Sat, 26 Aug 2000 11:02:09 +0200
Hi, aren't there things you *REALLY* hate? This is one of them. On Sat, Aug 26, 2000 at 02:23:05AM -0400, Stan Bubrouski wrote:
Author : Stan Bubrouski Date : August 26, 2000 Package : mgetty Versions affected : 1.1.22, 1.1.21 and prior (at least back to 1994) Severity : faxrunqd follows symbolic links when creating certain files. The default location for the files is /var/spool/fax/outgoing, which is a world-writable directory. Local users can destroy the contents of any file on a mounted filesystem because faxrunqd is usually run by root. Problem : mgetty comes with a program named faxrunqd, which is a daemon to send fax jobs queued by faxspool(1). Upon successful execution, a file named .last_run is created in the /var/spool/fax/outgoing/ directory which is world-writable. The problem lies in the fact faxrunqd will follow symlinks created by any user, allowing file creation anywhere and allowing existing files to be overwritten/destroyed.
First of all, this hole does NOT exist anymore in 1.1.22. It has been reported to me by the FreeBSD people, and closed on August 14, 2000. 1.1.22 has been released on August 17, 2000, and can be found on the usual places (http://alpha.greenie.net/mgetty/). So, please, get your facts right before posting. Second, I am really annoyed to find this on bugtraq, with false data, without any prior contact. The fact that I just released 1.1.22 should give you enough hint that I am still maintaining mgetty, and sending me a quick mal "hey, is this bug still open?" would have been in order. Also, it would have saved *you* the embarrassment to report something to bugtraq that is already fixed. Vendor releases might still be vulnerable (shipping old versions), but as faxrunqd(8) isn't usually run by default, a "standard system" should NOT be vulnerable. *If* you run faxrunqd, though, upgrade to 1.1.22 (but those of you that do, you know who you are...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert () greenie muc de fax: +49-89-35655025 gert.doering () physik tu-muenchen de
Current thread:
- Advisory: mgetty local compromise Stan Bubrouski (Aug 26)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Stan Bubrouski (Aug 26)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Stan Bubrouski (Aug 29)
- Re: Advisory: mgetty local compromise Mark Stingley (Aug 30)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Cy Schubert - ITSD Open Systems Group (Aug 31)