From owner-freebsd-security  Thu Sep 14 14:56:22 2000
Delivered-To: freebsd-security@freebsd.org
Received: from hub.lovett.com (hub.lovett.com [216.60.121.161])
	by hub.freebsd.org (Postfix) with ESMTP
	id 39C4537B423; Thu, 14 Sep 2000 14:56:16 -0700 (PDT)
Received: from ade by hub.lovett.com with local (Exim 3.16 #1)
	id 13ZgzN-000JwE-00; Thu, 14 Sep 2000 16:56:13 -0500
Date: Thu, 14 Sep 2000 16:56:13 -0500
From: Ade Lovett <ade@FreeBSD.org>
To: Kris Kennaway <kris@FreeBSD.org>
Cc: security@freebsd.org
Subject: Re: potential security exposure in GNOME/ORBit?
Message-ID: <20000914165613.J74753@lovett.com>
References: <20000914120949.E73990@FreeBSD.org> <Pine.BSF.4.21.0009141013300.64302-100000@freefall.freebsd.org> <20000914122320.G73990@FreeBSD.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20000914122320.G73990@FreeBSD.org>; from ade@FreeBSD.org on Thu, Sep 14, 2000 at 12:23:20PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Sep 14, 2000 at 12:23:20PM -0500, Ade Lovett wrote:
> So, short of looking at every single port that we have that uses
> ORBit directly, and making appropriate modifications, I can't see
> how this can be done without potentially hacking a lot of ports,
> and also auditing new ones as they come in.

Unless I hear to the contrary (ie: someone comes up with a better
solution + patches) by 0900 CDT tomorrow 9/15, I'm going to commit my
original patch, modulo that it will install etc/orbitrc.sample and
use a pkg/MESSAGE suggesting that they move it in place for security
reasons.

There is obviously a security issue here, and it behooves us to
at least put in the quick-fix, even if it is backed out and
replaced with "the right way" at some later date, perhaps in a
newer version.

One thing that would be useful is for interested parties to bring
up a suite of ORBit applications that are listening on these
high-numbered ports, and then hunt for an exploit.  If we can get
that, we're already covered (by the quick-hack) and it'll provide
a kick in the pants for a proper fix from the people that understand
the code the best -- the authors (I hope :)

-aDe

-- 
Ade Lovett, Austin, TX.			ade@FreeBSD.org
FreeBSD: The Power to Serve		http://www.FreeBSD.org/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message