From owner-freebsd-ports  Thu Nov 14 15: 4:34 2002
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id DAA4137B401; Thu, 14 Nov 2002 15:04:32 -0800 (PST)
Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 6986843E42; Thu, 14 Nov 2002 15:04:32 -0800 (PST)
	(envelope-from nectar@nectar.cc)
Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111])
	by gw.nectar.cc (Postfix) with ESMTP
	id EBA8238; Thu, 14 Nov 2002 17:04:31 -0600 (CST)
Received: by madman.nectar.cc (Postfix, from userid 1001)
	id D2008137BDD; Thu, 14 Nov 2002 17:04:30 -0600 (CST)
Date: Thu, 14 Nov 2002 17:04:30 -0600
From: "Jacques A. Vidrine" <nectar@FreeBSD.org>
To: Kris Kennaway <kris@obsecurity.org>
Cc: Knud Erik H?jgaard <knud@skodliv.dk>, ports@freebsd.org,
	mita@FreeBSD.org
Subject: Re: security problem in /usr/ports/comms/efax
Message-ID: <20021114230430.GA63546@madman.nectar.cc>
References: <039801c28c0d$07d52d70$24029dd9@tuborg> <20021114224806.GF11972@rot13.obsecurity.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20021114224806.GF11972@rot13.obsecurity.org>
X-Url: http://www.celabo.org/
User-Agent: Mutt/1.5.1i-ja.1
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ports.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ports>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ports>
X-Loop: FreeBSD.org

On Thu, Nov 14, 2002 at 02:48:21PM -0800, Kris Kennaway wrote:
> On Thu, Nov 14, 2002 at 07:38:29PM +0100, Knud Erik H?jgaard wrote:
> > ===>  SECURITY NOTE:
> >       This port has installed the following binaries which execute with
> >       increased privileges.
> > 326461  192 -rwsr-xr-x    1 uucp             dialer              97432 Nov
> > 14 19:13 /usr/local/bin/efax
[...]
> Thanks for your note.  I have marked the port FORBIDDEN for now until
> someone can review and commit your patch.
[...]


Just FYI, this efax application is the same one that is and has
been bundled with KDE's kdeutils package --- or at least they have
the same heritage.  The kdeutils package no longer installs efax
set-user-ID since about kdeutils 2.2.2.  You can google for `kdeutils
efax security' to find more information.  The kdeutils efax may already
have a fix...


Cheers,
-- 
Jacques A. Vidrine <nectar@celabo.org>          http://www.celabo.org/
NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
jvidrine@verio.net     .  nectar@FreeBSD.org  .          nectar@kth.se


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message