Date: Thu, 14 Sep 2000 16:56:13 -0500 From: Ade Lovett <ade@FreeBSD.org> To: Kris Kennaway <kris@FreeBSD.org> Cc: security@freebsd.org Subject: Re: potential security exposure in GNOME/ORBit? Message-ID: <20000914165613.J74753@lovett.com> In-Reply-To: <20000914122320.G73990@FreeBSD.org>; from ade@FreeBSD.org on Thu, Sep 14, 2000 at 12:23:20PM -0500 References: <20000914120949.E73990@FreeBSD.org> <Pine.BSF.4.21.0009141013300.64302-100000@freefall.freebsd.org> <20000914122320.G73990@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 14, 2000 at 12:23:20PM -0500, Ade Lovett wrote: > So, short of looking at every single port that we have that uses > ORBit directly, and making appropriate modifications, I can't see > how this can be done without potentially hacking a lot of ports, > and also auditing new ones as they come in. Unless I hear to the contrary (ie: someone comes up with a better solution + patches) by 0900 CDT tomorrow 9/15, I'm going to commit my original patch, modulo that it will install etc/orbitrc.sample and use a pkg/MESSAGE suggesting that they move it in place for security reasons. There is obviously a security issue here, and it behooves us to at least put in the quick-fix, even if it is backed out and replaced with "the right way" at some later date, perhaps in a newer version. One thing that would be useful is for interested parties to bring up a suite of ORBit applications that are listening on these high-numbered ports, and then hunt for an exploit. If we can get that, we're already covered (by the quick-hack) and it'll provide a kick in the pants for a proper fix from the people that understand the code the best -- the authors (I hope :) -aDe -- Ade Lovett, Austin, TX. ade@FreeBSD.org FreeBSD: The Power to Serve http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000914165613.J74753>