From owner-freebsd-security  Thu Jan 11 11: 4:39 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtp3.xs4all.nl (smtp3.xs4all.nl [194.109.127.132])
	by hub.freebsd.org (Postfix) with ESMTP id 35AD537B400
	for <security@FreeBSD.ORG>; Thu, 11 Jan 2001 11:04:21 -0800 (PST)
Received: from bmach.nederware.nl (nederware.nl [194.109.55.62])
	by smtp3.xs4all.nl (8.9.3/8.9.3) with ESMTP id UAA16408;
	Thu, 11 Jan 2001 20:04:02 +0100 (CET)
Received: from pobox.com (IDENT:berend@dellius.nederware.nl [192.168.33.6])
	by bmach.nederware.nl (8.11.1/8.9.3) with ESMTP id f0BIY6a17667;
	Thu, 11 Jan 2001 19:34:06 +0100 (CET)
	(envelope-from berend@pobox.com)
Message-ID: <3A5DFC80.6060208@pobox.com>
Date: Thu, 11 Jan 2001 19:33:36 +0100
From: Berend de Boer <berend@pobox.com>
User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-4.lfs i686; en-US; 0.6) Gecko/20001205
X-Accept-Language: en
MIME-Version: 1.0
To: Mikhail Kruk <meshko@cs.brandeis.edu>,
	Ann Harrison <aharrison@ibphoenix.com>
Cc: Trevor Johnson <trevor@jpj.net>,
	Jason DiCioccio <Jason.DiCioccio@Epylon.com>, security@FreeBSD.ORG
Subject: Re: CERT advisory:  "Interbase Server Contains Compiled-in Back D oor Account"
References: <Pine.LNX.4.30.0101102022150.20113-100000@daedalus.cs.brandeis.edu>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Mikhail Kruk wrote:

>> The backdoor is not documented in the pkg-descr file for the port.  If the
>> port is not fixed or forbidden, and it has the backdoor, the fact should
>> at least be documented there.
> 
> 
> I don't see how such a backdoor can be left in the package, even if there
> is a warning in pkg_descr.
> This is a potential remote exploit after all.

The InterBase package cannot be installed without explicitly downloading 
it. The Makefile request you to the directory where you have to download 
it yourself.

I think a message stating this, would be sufficient. I attempt to submit 
a patch tonight.

In the mean time I attempt to contact Ann Harrison (with this message), 
that I'm willing to help the security patch for InterBase 4 for FreeBSD.

Groetjes,

Berend. (-:



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message