Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 27 Aug 1999 10:08:07 -0400
From:      "Sean O'Connell" <sean@stat.Duke.EDU>
To:        FreeBSD security <freebsd-security@FreeBSD.ORG>
Subject:   Chflags vulnerability in FreeBSD?
Message-ID:  <19990827100807.P28256@stat.Duke.EDU>
next in thread | raw e-mail | index | archive | help 
Hi All-

I received the following from SANS (www.sans.org) and it initimated
that there is a vulnerability in FreeBSD that had previously been
thought to only exist in BSDi:

SANS Security Digest Vol. 3 Num. 8

A) 08/05/1999 - BSDI released a security patch for the chflags problem.  
The vulnerability exists in 4.0.1 and 3.1.  BSDI continues to investigate
the problem to ensure all possible security concerns are addressed. For
more information see:
        http://www.BSDI.COM/support/patches/patches-4.0.1/M401-014.info
        http://www.BSDI.COM/support/patches/patches-3.1/M310-056.info

The followup:

SANS Digest EXTRA -- Vol. 3 Num. 8a

4) In item 10, BSDI A of the Augusts SANS Security Digest, we reported
   the chflags problem as a BSDI-specific problem, when in fact other 
   versions of BSD kernel are effected as well as some programs (e.g.,
   ssh) based on the same routine. Vendor specific information can be
   found at:
        http://www.BSDI.COM/support/patches/patches-4.0.1/M401-014.info
        http://www.BSDI.COM/support/patches/patches-3.1/M310-056.info
        http://www.ssh.fi/sshprotocols2/
        http://www.openbsd.org/errata.html#chflags
   Also, according to a Bugtraq posting by Adam Morrison on 08/01/1999,  
   NetBSD has corrected the problem and FreeBSD appears to be vulnerable.
   The SANS Digest editors were unable to locate an FreeBSD specific
   information regarding this problem.

Has this been addressed or fixed?  If it exists, it should probably
be fixed before 3.3 gets out the door.

Thanks
S
-- 
-----------------------------------------------------------------------
Sean O'Connell                                Email: sean@stat.Duke.EDU
Institute of Statistics and Decision Sciences Phone: (919) 684-5419
Duke University                               Fax:   (919) 684-8594


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990827100807.P28256>