Date: Thu, 10 Aug 2000 21:30:37 -0600 From: Warner Losh <imp@village.org> To: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz> Cc: freebsd-security@FreeBSD.ORG Subject: Re: suidperl exploit Message-ID: <200008110330.VAA31484@harmony.village.org> In-Reply-To: Your message of "Thu, 10 Aug 2000 19:29:31 %2B0200." <Pine.GSO.4.10.10008101904060.733-100000@nenya.ms.mff.cuni.cz> References: <Pine.GSO.4.10.10008101904060.733-100000@nenya.ms.mff.cuni.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.GSO.4.10.10008101904060.733-100000@nenya.ms.mff.cuni.cz> "Vladimir Mencl, MK, susSED" writes: : I just came over the suidperl + mail vulnerability in Linux, and I was : wondering whether it would work in FreeBSD. Nope. We're clean. A fix from the perl folks that disables the code. The code did /bin/mail, but we don't have that, which is why we're clean. : I've not found any security advisory regarding this - can anybody : comment on this? Has there be a silent fix to this? No fix is needed. You are safe. However, we just committed some code to the tree that forces users to specifically enable building and installing suidperl in the future. We know of no exploitable holes in it today, why take the risk? It was present for only one utility in the system, and that was rewritten in 'C'. If you want to be extra careful, you can delete suidperl w/o harm. So no advisory is needed. This is a case where we need a non-vulnerabilty alert :-). Of course, such an alert is likely to cause more problems than it would solve.... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008110330.VAA31484>