Date: Fri, 12 Apr 2002 23:32:36 -0700 From: "Crist J. Clark" <cjc@FreeBSD.org> To: Nicolas Rachinsky <list@rachinsky.de> Cc: security@FreeBSD.org, brett@lariat.org Subject: Re: [Corrected message] This OpenBSD local root hole may affect some FreeBSD systems Message-ID: <20020412233236.A43915@blossom.cjclark.org> In-Reply-To: <20020411204516.GA51239@pc5.abc>; from list@rachinsky.de on Thu, Apr 11, 2002 at 10:45:17PM %2B0200 References: <4.3.2.7.2.20020411141011.030a0b80@nospam.lariat.org> <20020411204516.GA51239@pc5.abc>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 11, 2002 at 10:45:17PM +0200, Nicolas Rachinsky wrote:
> * Brett Glass <brett@lariat.org> [2002-04-11 14:12:01 -0600]:
> > [This is a corrected version of the previous message, which omitted
> > the word "isn't" near the beginning of the second paragraph.]
> >
> > The vulnerability described in the message below is a classic
> > "in-band signalling" problem that may give an unauthorized user
> > the ability to run an arbitrary command as root.
> >
> > Fortunately, the vulnerability isn't present in FreeBSD's daily, weekly,
> > and monthly maintenance scripts, because they use sendmail rather
> > than /bin/mail.
No, they use mail(1),
$ more /usr/bin/periodic
.
.
.
*) pipe="mail -s '$host ${arg##*/} run output' $output";;
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020412233236.A43915>