From owner-freebsd-security Fri Oct 16 02:24:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA03493 for freebsd-security-outgoing; Fri, 16 Oct 1998 02:24:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA03488 for ; Fri, 16 Oct 1998 02:24:34 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) id CAA00836; Fri, 16 Oct 1998 02:23:11 -0700 (PDT) Message-ID: <19981016022311.A753@best.com> Date: Fri, 16 Oct 1998 02:23:11 -0700 From: "Jan B. Koum " To: andrew@squiz.co.nz, security@FreeBSD.ORG Subject: Re: X allows ordinary user to read first line of any file References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Andrew McNaughton on Fri, Oct 16, 1998 at 06:08:02PM +1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Oct 16, 1998 at 06:08:02PM +1300, Andrew McNaughton wrote: > > found this on http://www.hoobie.net/security/exploits/ > > joeuser@host$ X -config /etc/master.passwd > Unrecognized option: root:yd0Rj.v.r1wKA:0:0::0:0:Charlie > use: X [:] [option] > . > . > . > > I'm sure there's other files where this can be a problem, but in the case > of the password file it seems wise to have a dummy entry as the first line > of the master.passwd file. > > > Andrew McNaughton > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message I am sure something will correct me, but I think you are running the 3.3.1 version which is vulnerable I guess. It is old. You should really upgrade. The new release doesn't even have the -config options as far as I can tell: % bin/XF86_SVGA -version [...] XFree86 Version 3.3.2.3 / X Window System Operating System: FreeBSD 3.0-CURRENT i386 [ELF] [...] % bin/XF86_SVGA -config /etc/master.passwd bin/XF86_SVGA -config /etc/master.passwd Unrecognized option: -config I am not sure if 3.0 will ship with 3.3.2.3 - Jordan? I myself use XiG product (hence limited knowledge of XFree86) and that also seem fine at first glance. BTW, wouldn't you kind of consider this to be a bug in XFree86 rather then a bug in FreeBSD OS? :) -- Yan I don't have the password .... + Jan Koum But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. So if you've got the time .... | Web: http://www.best.com/~jkb Set the tone to sync ......... + OS: http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message