Re: expoit for locale format string bug (Solaris 2.x)

[Dan Harkless <dan-bugtraq () DILVISH SPEED NET>]

Gus Hartmann <hartmann () madison-expat net> writes:
> On Fri, Sep 08, 2000 at 03:24:56PM -0700, Dan Harkless wrote:
>
> > I wish Sun would make a response in this forum so its customers (including
> > the ones without multi-thousand-dollar support contracts) would know what
> > the time window is for local users being able to easily get root.
>
>       Sun did respond in the FOCUS-SUN mailing list,

Ah.  I wasn't familiar with that list.

> to the effect that they are currently working on a solution. The two most
> relevant messages are available from the archive at:
>
> http://www.securityfocus.com/templates/archive.pike?fromthread=0&start=2000-09-01&threads=0&mid=80863&list=92&end=2000-09-07
>
> http://www.securityfocus.com/templates/archive.pike?fromthread=0&start=2000-09-08&threads=0&mid=81184&list=92&end=2000-09-14
>
>       My employer holds several, multi-million dollar Sun support
> contracts, and we haven't heard anything besides the above messages to a
> public mailing list.

Thanks for the info, Gus.  Guess I better get those NLSPATH-cleaning wrapper
programs in place while Sun slogs through trying to find the perfect
solution.

Kind of amazing that they don't realize that given the severity of this
issue, most of us would prefer to have an immediate, temporary fix that
breaks the standard but closes the hole, followed by one that doesn't break
the standard (if possible) at some later date.

----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.