Bugtraq mailing list archives
Re: Remote Root Hole in FreeBSD Ports
From: Horms <horms () vergenet net>
Date: Thu, 27 Dec 2001 13:41:46 +1100
This notice is in reference to a reported root hole in the FreeBSD port of perdition and more specifically the library vanessa_logger that it requires. http://www.securityfocus.org/archive/1/247148 First I would like to express great dismay that this was published on a public list (BugTraq) without prior consultation with the author (myself) or to my knowledge the maintainer of the FreeBSD port, Konstantinos Konstantinidis. There is a string format bug in vanessa_logger 0.0.1 which is what the post to BugTraq makes reference to. FreeBSD, was at the time of the posting shipping this vulnerable version. vanessa_logger 0.0.2, released on the 29th of June 2001, is not vulnerable to this exploit. FreeBSD have released a patched version of vanessa_logger 0.0.1 which is also not vulnerable. Users should upgrade to either of these. vanessa_logger 0.0.2 is available from ftp://ftp.vergenet.net/pub/vanessa/vanessa_logger/0.0.2 At this time I would also like to highlight the importance of running perdition as a non-root user. The --username and --group options enable perdition to run as non-root for most of a processes life. If these options are used then the potential risk from any exploits stemming from the string format bug in vanessa_logger are significantly reduced. For more information on perdition please see http://vergenet.net/linux/perdition/ -- Horms Author of perdition and vanessa_logger
Attachment:
_bin
Description:
Current thread:
- Remote Root Hole in FreeBSD Ports bugtraq (Dec 25)
- Re: Remote Root Hole in FreeBSD Ports Horms (Dec 27)
- Re: Remote Root Hole in FreeBSD Ports networkingysistemas networkingysistemas xxx (Dec 29)
- Re: Remote Root Hole in FreeBSD Ports Horms (Dec 27)