From owner-freebsd-security  Sun Apr 14 17:53:47 2002
Delivered-To: freebsd-security@freebsd.org
Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42])
	by hub.freebsd.org (Postfix) with ESMTP id 8DF0037B416
	for <security@FreeBSD.ORG>; Sun, 14 Apr 2002 17:53:38 -0700 (PDT)
Received: (from avalon@localhost)
	by caligula.anu.edu.au (8.9.3/8.9.3) id KAA22843;
	Mon, 15 Apr 2002 10:53:26 +1000 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200204150053.KAA22843@caligula.anu.edu.au>
Subject: Re: [Corrected message] This OpenBSD local root hole may affect some FreeBSD systems
To: list@rachinsky.de (Nicolas Rachinsky)
Date: Mon, 15 Apr 2002 10:53:25 +1000 (Australia/ACT)
Cc: security@FreeBSD.ORG
In-Reply-To: <20020411204516.GA51239@pc5.abc> from "Nicolas Rachinsky" at Apr 11, 2002 10:45:17 PM
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

In some mail from Nicolas Rachinsky, sie said:
> 
> * Brett Glass <brett@lariat.org> [2002-04-11 14:12:01 -0600]:
> > [This is a corrected version of the previous message, which omitted
> > the word "isn't" near the beginning of the second paragraph.]
> > 
> > The vulnerability described in the message below is a classic
> > "in-band signalling" problem that may give an unauthorized user
> > the ability to run an arbitrary command as root. 
> > 
> > Fortunately, the vulnerability isn't present in FreeBSD's daily, weekly,
> > and monthly maintenance scripts, because they use sendmail rather 
> > than /bin/mail. Nonetheless, the same patch should be applied to 
> > FreeBSD's /bin/mail due to the possibility that other privileged
> > utilities (or user-written scripts) might use /bin/mail instead of 
> > sendmail to create e-mail messages.
> 
> man mail says:
>      -I    Forces mail to run in interactive mode even when input is not a
>            terminal.  In particular, the `~' special character when sending
>            mail is only active in interactive mode.

As I'm sure others have already pointed out:

OpenBSD re-introduced this bug themselves in OpenBSD.

It has been fixed everywhere else for some time.  Things like this
little incident are good to take note of so when someone is saying:

"but OpenBSD has better security"

you can say:

"Really?  They're seem to add as many security bugs by themselves as they
fix".

(or similar - you get the idea).  The general idea being for an O/S that
prides itself on "security" and "code auditting", you'd think they'd know
better than to reintroduce old security bugs.

In OpenSSH's lifetime, there have been 7 security bugs in it and only 4 in
ssh.com's version.  Another OpenSSH bug and that'll be twice as many as for
ssh.com.  All of those 7 have been introduced by the OpenSSH programmers.

Darren

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message