Date: Fri, 16 Oct 1998 02:23:11 -0700 From: "Jan B. Koum " <jkb@best.com> To: andrew@squiz.co.nz, security@FreeBSD.ORG Subject: Re: X allows ordinary user to read first line of any file Message-ID: <19981016022311.A753@best.com> In-Reply-To: <Pine.BSF.4.01.9810161756550.706-100000@aniwa.sky>; from Andrew McNaughton on Fri, Oct 16, 1998 at 06:08:02PM %2B1300 References: <Pine.BSF.4.01.9810161756550.706-100000@aniwa.sky>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 16, 1998 at 06:08:02PM +1300, Andrew McNaughton <andrew@squiz.co.nz> wrote: > > found this on http://www.hoobie.net/security/exploits/ > > joeuser@host$ X -config /etc/master.passwd > Unrecognized option: root:yd0Rj.v.r1wKA:0:0::0:0:Charlie > use: X [:<display>] [option] > . > . > . > > I'm sure there's other files where this can be a problem, but in the case > of the password file it seems wise to have a dummy entry as the first line > of the master.passwd file. > > > Andrew McNaughton > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message I am sure something will correct me, but I think you are running the 3.3.1 version which is vulnerable I guess. It is old. You should really upgrade. The new release doesn't even have the -config options as far as I can tell: % bin/XF86_SVGA -version [...] XFree86 Version 3.3.2.3 / X Window System Operating System: FreeBSD 3.0-CURRENT i386 [ELF] [...] % bin/XF86_SVGA -config /etc/master.passwd bin/XF86_SVGA -config /etc/master.passwd Unrecognized option: -config I am not sure if 3.0 will ship with 3.3.2.3 - Jordan? I myself use XiG product (hence limited knowledge of XFree86) and that also seem fine at first glance. BTW, wouldn't you kind of consider this to be a bug in XFree86 rather then a bug in FreeBSD OS? :) -- Yan I don't have the password .... + Jan Koum But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. So if you've got the time .... | Web: http://www.best.com/~jkb Set the tone to sync ......... + OS: http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981016022311.A753>