Bugtraq mailing list archives
Re: Advisory: mgetty local compromise
From: Stan Bubrouski <satan () fastdial net>
Date: Sat, 26 Aug 2000 10:45:35 -0400
Gert Doering wrote:
Hi, aren't there things you *REALLY* hate? This is one of them.
Hate is strong word. Mistakes are mistakes. Move on. If you really hate things so much why not post them yourself to save others the trouble of reporting the problem? You know this ships with most of the most popular linux distributions, so chances are that people are affected by this.
On Sat, Aug 26, 2000 at 02:23:05AM -0400, Stan Bubrouski wrote:Author : Stan Bubrouski Date : August 26, 2000 Package : mgetty Versions affected : 1.1.22, 1.1.21 and prior (at least back to 1994) Severity : faxrunqd follows symbolic links when creating certain files. The default location for the files is /var/spool/fax/outgoing, which is a world-writable directory. Local users can destroy the contents of any file on a mounted filesystem because faxrunqd is usually run by root. Problem : mgetty comes with a program named faxrunqd, which is a daemon to send fax jobs queued by faxspool(1). Upon successful execution, a file named .last_run is created in the /var/spool/fax/outgoing/ directory which is world-writable. The problem lies in the fact faxrunqd will follow symlinks created by any user, allowing file creation anywhere and allowing existing files to be overwritten/destroyed.First of all, this hole does NOT exist anymore in 1.1.22. It has been reported to me by the FreeBSD people, and closed on August 14, 2000.
Yeah and this report was constructed based on what I wrote on June 2nd and was subsequently ignored.
1.1.22 has been released on August 17, 2000, and can be found on the usual places (http://alpha.greenie.net/mgetty/).
Yeah I know. It was an error. I meant to put that in a "Versions unaffected:" row, but for some reason left on the same line as unaffected. See I had actually reported this to bugtraq over two months ago, and only one vendor addressed the problem and they did it covertly so nobody knew. It didn't help either that when I made the original report I had it listed in a message explaining compromises on Red Hat Linux 6.2 and so the scope of the problem was never recognized. I only made this report to clarify the vulnerability and because it had now been fixed. My original report was to Red Hat on June 2, 2000. It's the same as in the advisory except it only shows how it is a problem. That is at http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11874
So, please, get your facts right before posting. Second, I am really annoyed to find this on bugtraq, with false data, without any prior contact. The fact that I just released 1.1.22 should give you enough hint that I am still maintaining mgetty, and sending me a quick mal "hey, is this bug still open?" would have been in order. Also, it would have saved *you* the embarrassment to report something to bugtraq that is already fixed.
Not sure I understand this. I thought thats what vendors usually want. A report on a vulnerability after a patch or fix is available. If this is not the case please let me know, I have scathing holes in other software that are not public because they have yet to be fixed. Get real. I don't get embarressed by a simple typo, do you?
Vendor releases might still be vulnerable (shipping old versions), but as faxrunqd(8) isn't usually run by default, a "standard system" should NOT be vulnerable. *If* you run faxrunqd, though, upgrade to 1.1.22 (but those of you that do, you know who you are...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert () greenie muc de fax: +49-89-35655025 gert.doering () physik tu-muenchen de
Later. Stan Bubrouski
Current thread:
- Advisory: mgetty local compromise Stan Bubrouski (Aug 26)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Stan Bubrouski (Aug 26)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Stan Bubrouski (Aug 29)
- Re: Advisory: mgetty local compromise Mark Stingley (Aug 30)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Cy Schubert - ITSD Open Systems Group (Aug 31)