Bugtraq mailing list archives
Re: Slrnpull Buffer Overflow (-d parameter)
From: Bill Nottingham <notting () redhat com>
Date: Tue, 30 Apr 2002 12:08:56 -0400
Alex Hernandez (alex_hernandez () ureach com) said:
Linux RH.6.2 Sparc64 and below versions.
On Red Hat Linux 6.2 for sparc: # ls -l /usr/bin/slrnpull -rwxr-s--- 1 news news 48688 Feb 7 2000 /usr/bin/slrnpull # rpm -q slrn-pull slrn-pull-0.9.6.2-4 With all updates applied: # ls -l /usr/bin/slrnpull -rwxr-s--- 1 root news 55456 Mar 1 2001 /usr/bin/slrnpull # rpm -q slrn-pull slrn-pull-0.9.6.4-0.6 Hence, while you may be able to get group news, the program is only runnable by group news. So, I don't think there are any security implications here. Bill
Current thread:
- Slrnpull Buffer Overflow (-d parameter) Alex Hernandez (Apr 22)
- Re: Slrnpull Buffer Overflow (-d parameter) Bill Nottingham (Apr 30)