From owner-freebsd-security Thu Dec 2 3:20:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from tusk.mountain-inter.net (tusk.mountain-inter.net [204.244.200.1]) by hub.freebsd.org (Postfix) with ESMTP id 869B014D8B; Thu, 2 Dec 1999 03:20:16 -0800 (PST) (envelope-from sreid@sea-to-sky.net) Received: from grok.localnet (unknown@analog17.sq.mntn.net [204.244.200.26]) by tusk.mountain-inter.net (8.9.3/8.9.3) with ESMTP id DAA09993; Thu, 2 Dec 1999 03:20:08 -0800 Received: by grok.localnet (Postfix, from userid 1000) id 96A03212E07; Thu, 2 Dec 1999 03:21:21 -0800 (PST) Date: Thu, 2 Dec 1999 03:21:21 -0800 From: Steve Reid To: Sheldon Hearn Cc: Bill Swingle , security@FreeBSD.ORG, Jordan Hubbard Subject: Re: [btellier@USA.NET: Several FreeBSD-3.3 vulnerabilities] Message-ID: <19991202032121.A7470@grok.localnet> References: <19991201093242.A71817@dub.net> <64661.944125995@axl.noc.iafrica.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <64661.944125995@axl.noc.iafrica.com>; from Sheldon Hearn on Thu, Dec 02, 1999 at 11:13:15AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Dec 02, 1999 at 11:13:15AM +0200, Sheldon Hearn wrote: > query-pr: no PRs matched > Looks to me like this chap's full of hot air. I'm not saying the > problems don't exist, but this guy doesn't seem to have done much to > contact us, eh? It may be that he contacted the port maintainer and/or security-officer through email rather than using the PR system. As long as we're on the subject I may as well relay my own experience... Some time ago I found a root exploit in a third-party package installed via ports. I wasn't sure if it was freebsd-specific so I emailed the port maintainer and the people originally responsible for the software. I only got a response from the port maintainer, who responded within a day or so. It turns out the problem is (Free?)BSD specific, and I figured an email exchange with the port maintainer would be sufficient, so I didn't think about filing a PR. I proposed a temporary fix that would reduce the vulnerability such that it was still serious but no longer instant root. I kept checking the port's patches directory to see if my temporary fix was applied but there were no changes in the patches directory (note: I didn't check the distfiles). Instead a strong warning message about a security hole appeared in the pkg/DESCR. A couple of days after the exchange I emailed the port maintainer again with patches to correct the problems I had found. I don't know if the patches completely solved all of the problems (stopped looking after I found two root exploits in 5-10 minutes) or even if the patches were correct, but I didn't get any further response. I just checked out the port. The temporary fix appears to have been applied. The warning message is gone. The patches I offered were never applied, and there was an equivalent change for only one of the bugs (a buffer overflow). The other bug can only be solved by dropping privileges at an appropriate time, which is not done. The program can still be easily expoited and the problem has not really been solved. I'd say the severity remains as bad as the holes that started this thread, if not worse. When I saw the warning in pkg/DESCR I figured I'd wait a couple weeks then post to Bugtraq, but never got around to it. I'll try the port maintainer again first. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message