Re: Advisory: mgetty local compromise

[Gert Doering <gert () GREENIE MUC DE>]

Hi,

On Sat, Aug 26, 2000 at 10:45:35AM -0400, Stan Bubrouski wrote:
> > On Sat, Aug 26, 2000 at 02:23:05AM -0400, Stan Bubrouski wrote:
> > > Author                 : Stan Bubrouski
> > > Date                    : August 26, 2000
> > > Package              : mgetty
> > > Versions affected : 1.1.22, 1.1.21 and prior (at least back to 1994)
[..]
> > First of all, this hole does NOT exist anymore in 1.1.22.  It has been
> > reported to me by the FreeBSD people, and closed on August 14, 2000.
>
> Yeah and this report was constructed based on what I wrote on June 2nd
> and was subsequently ignored.

You never reported it to *me*.  It's pretty clear from all the
documentation that I wrote mgetty+sendfax and still maintain it.

You reported it to "some Linux vendor" (which is good, indeed, but
not sufficient).  Actually, if you look at the bugzilla ID that you
quote, you see that I did respond to it, after one of the FreeBSD
crowd pointed me to it.

> > 1.1.22 has been released on August 17, 2000, and can be found on the usual
> > places (http://alpha.greenie.net/mgetty/).
>
> Yeah I know.  It was an error.  I meant to put that in a "Versions unaffected:"
> row, but for some reason left on the same line as unaffected.

*sigh*

> See I had actually reported this to bugtraq over two months ago,

You haven't.

You have reported this to RedHat's "bugzilla" database, which is something
completely different.

Checking the bugtraq archives, there are exactly two articles containing
the word "faxrunq".  Both are written by me, in July 1997 - seems that
your article from today is not yet indexed.  Other articles from July this
year are certainly visible.

> and only one vendor addressed
> the problem and they did it covertly so nobody knew.

The "vendor" of mgetty+sendfax is *me*.  You have not notified me, or the
mgetty mailing list.

[..]
> I only made this report to clarify the vulnerability and because it had now been
> fixed.

In that case, please re-read the stuff before you post.  What you did was
to cause much fuzz, much panic ("what, 1.1.22 vulnerable as well?"), and
no good.

The fact that there was this bug in 1.1.21 has been clearly reported in the
mgetty list (and it's in the ChangeLog), and Linux distribution vendors
usually pick up new releases quite quickly, so they should have fixed versions
available RSN.

[..]
> > Second, I am really annoyed to find this on bugtraq, with false data,
> > without any prior contact.  The fact that I just released 1.1.22 should
> > give you enough hint that I am still maintaining mgetty, and sending me a
> > quick mal "hey, is this bug still open?" would have been in order.
>
> Not sure I understand this.  I thought thats what vendors usually want.
> A report on a vulnerability after a patch or fix is available.

Huh?  Vendors want the report on the vulnerability when you know about a
problem, to be able to *develop* a fix.

How do you think a vendor can develop a fix if you don't tell 'em?

(Maybe we have different views what a "vendor" is.  For mgetty+sendfax, I
am, as the main author and coordinator).

> If this is not
> the case please let me know, I have scathing holes in other software that
> are not public because they have yet to be fixed.  Get real.
> I don't get embarressed by a simple typo, do you?

You better should.  Claiming publically that something is vulnerable, even
giving version numbers, when you really should know that it's fixed should
be embarassing.   That's much more than a "simple typo".

gert
--
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert () greenie muc de
fax: +49-89-35655025                        gert.doering () physik tu-muenchen de