From owner-freebsd-ports  Sun Oct 29 10:29:41 2000
Delivered-To: freebsd-ports@freebsd.org
Received: from gw.nectar.com (gw.nectar.com [208.42.49.153])
	by hub.freebsd.org (Postfix) with ESMTP
	id B253337B4C5; Sun, 29 Oct 2000 10:29:36 -0800 (PST)
Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102])
	by gw.nectar.com (Postfix) with ESMTP
	id 268BA193DF; Sun, 29 Oct 2000 12:29:35 -0600 (CST)
Received: (from nectar@localhost)
	by hamlet.nectar.com (8.11.1/8.9.3) id e9TITZq69728;
	Sun, 29 Oct 2000 12:29:35 -0600 (CST)
	(envelope-from nectar@spawn.nectar.com)
Date: Sun, 29 Oct 2000 12:29:34 -0600
From: "Jacques A. Vidrine" <n@nectar.com>
To: Roman Shterenzon <roman@xpert.com>
Cc: Jeremy Norris <ishmael27@home.com>, ports@FreeBSD.ORG,
	security@freebsd.org
Subject: Re: Remote buffer overflow in gnomeicu 0.93
Message-ID: <20001029122934.A69717@hamlet.nectar.com>
References: <20001029072540.A89648@babylon.merseine.nu> <Pine.LNX.4.10.10010291958530.2096-100000@jamus.xpert.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.LNX.4.10.10010291958530.2096-100000@jamus.xpert.com>; from roman@xpert.com on Sun, Oct 29, 2000 at 08:00:32PM +0200
X-Url: http://www.nectar.com/
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, Oct 29, 2000 at 08:00:32PM +0200, Roman Shterenzon wrote:
> On Sun, 29 Oct 2000, Jeremy Norris wrote:
> > Gnomeicu doesn't run with any privelege however, unless one is
> > foolish enough to run it as root. At worse, a deviant person could
> > crash it and gain access as an unprivleged user. Is thate enough to
> > make a port FORBIDDEN?

> It's a serious security breach, like giving someone to login as you
> without a password. That's exactly the same. Seems like a very serious
> problem to me.
> It's just a matter of time when the attacker will elevate her priveledges. 

Except that the bug in question is not a buffer overflow, and does not
appear to have security consequences.  I trust you have already reported
the bug to the author -- when you get a reply, I would be happy to see
it, too.
-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message