Bugtraq mailing list archives
Re: [RHSA-2001:078-05] Format string bug fixed
From: Petri Kaukasoina <kaukasoi () elektroni ee tut fi>
Date: Tue, 26 Jun 2001 08:26:44 +0300
On Fri, Jun 22, 2001 at 02:02:23PM -0700, helmut g. katzgraber wrote:
has the rpm offered on the lprng site also the same problems as the redhat one (advisory RHSA-2001:077-05)?
According to the redhat advisory, the problem is: "LPRng fails to drop supplemental group membership at init time, though it does properly setuid and setgid. The result is that LPRng, and its children, maintain any supplemental groups that the process starting LPRng had at the time it started LPRng. This is a security risk." root is the only one that can start lpd in the first place. So I guess in redhat root belongs to some supplemental groups. If this is the case, I would just remove root from all the supplemental groups in /etc/groups.
Current thread:
- [RHSA-2001:078-05] Format string bug fixed bugzilla (Jun 19)
- <Possible follow-ups>
- RE: [RHSA-2001:078-05] Format string bug fixed Mayers, Philip J (Jun 20)
- RE: [RHSA-2001:078-05] Format string bug fixed storage (Jun 22)
- RE: [RHSA-2001:078-05] Format string bug fixed helmut g. katzgraber (Jun 25)
- Re: [RHSA-2001:078-05] Format string bug fixed Petri Kaukasoina (Jun 26)
- RE: [RHSA-2001:078-05] Format string bug fixed storage (Jun 22)