Date: Fri, 5 May 2000 09:43:59 -0500 (CDT) From: Jeremy Shaffner <jer@jorsm.com> To: ports@freebsd.org Subject: Security Alert: Big Brother exploit (fwd) Message-ID: <Pine.BSF.4.21.0005050942540.86077-100000@mercury.jorsm.com>
next in thread | raw e-mail | index | archive | help
I hate when I do that. ---------- Forwarded message ---------- Date: Fri, 5 May 2000 08:33:44 -0500 (CDT) From: Jeremy Shaffner <jer@jorsm.com> To: billf@FreeBSD.org Cc: ports@jorsm.com Subject: Security Alert: Big Brother exploit (fwd) Just in case you don't already know. One of the things that bothers me about the BB port is that it doesn't create a "nobody" user to run as. In my installations I've created a "bigbro" user (uid 1984 of course) and installed it under /home/bigbro. I know the Port can't (ie shouldn't) install there, but have you considered creating a user? (with one of the free uid's according to handbook/porting.html) Thanks, --- Jeremy Shaffner System Administrator JORSM Internet jer@jorsm.com http://www.jorsm.com/~jer/pgp.key ---------- Forwarded message ---------- Date: Thu, 04 May 2000 19:42:57 -0400 From: Sean MacGuire <sean@bb4.com> Reply-To: security@bb4.com To: bb-announce@bb4.com Subject: Security Alert: Big Brother exploit [Priority notice to BB registered users - distribute internally] This notice concerns the Big Brother System and Network Monitor which our records indicate you downloaded. We wanted to let you know of a security problem that was brought to our attention. We will be notifying Bugtraq and Freshmeat shortly, but since you were good enough to register, you get this advance notice. If you have any questions or concerns, feel free to contact me directly at mailto:sean@bb4.com. Sorry for any inconvenience. =========================== Big Brother Security Notice =========================== Versions: All prior to 1.4d Module: bbd.c (the bb server: BBDISPLAY/BBPAGER) Affects: All BBDISPLAY/BBPAGER machines (running bbd) Summary: Exploitable buffer overflow in bbd.c could allow arbitrary commands to be executed with the same userid/permissions as the user running bbd. Fix: Download and install version 1.4d from http://bb4.com or Make sure MAXLINE and MAXBUF are the same... Edit bb.h and change #define MAXLINE 2048 to #define MAXLINE 4096 recompile (make) reinstall (make install) and restart BB (./runbb.sh restart). Note: BB should not be run as root! Found by: jpalardy@paranoia.pgci.ca, thanks! -- Sean MacGuire, Reality Engineer sean@bb4.com The Big Brother Ministry of Truth http://bb4.com icbm --> 45'31.06N-73'35.19W +1 514 996 4638 "Looking down the barrel of another day" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0005050942540.86077-100000>