From owner-freebsd-security  Thu Jan 11 15: 4:24 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtp7.xs4all.nl (smtp7.xs4all.nl [194.109.127.133])
	by hub.freebsd.org (Postfix) with ESMTP id 12CCB37B69E
	for <security@FreeBSD.ORG>; Thu, 11 Jan 2001 15:04:06 -0800 (PST)
Received: from bmach.nederware.nl (nederware.nl [194.109.55.62])
	by smtp7.xs4all.nl (8.9.3/8.9.3) with ESMTP id AAA26185;
	Fri, 12 Jan 2001 00:03:59 +0100 (CET)
Received: from pobox.com (IDENT:berend@dellius.nederware.nl [192.168.33.6])
	by bmach.nederware.nl (8.11.1/8.9.3) with ESMTP id f0BMrJa83107;
	Thu, 11 Jan 2001 23:53:19 +0100 (CET)
	(envelope-from berend@pobox.com)
Message-ID: <3A5E3941.4040407@pobox.com>
Date: Thu, 11 Jan 2001 23:52:49 +0100
From: Berend de Boer <berend@pobox.com>
User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-4.lfs i686; en-US; 0.6) Gecko/20001205
X-Accept-Language: en
MIME-Version: 1.0
To: Mikhail Kruk <meshko@cs.brandeis.edu>
Cc: Trevor Johnson <trevor@jpj.net>,
	Jason DiCioccio <Jason.DiCioccio@Epylon.com>, security@FreeBSD.ORG,
	Jordan Hubbard <jkh@winston.osd.bsdi.com>
Subject: Re: CERT advisory:  "Interbase Server Contains Compiled-in Back D oor Account"
References: <Pine.LNX.4.30.0101102022150.20113-100000@daedalus.cs.brandeis.edu>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Mikhail Kruk wrote:

>> The backdoor is not documented in the pkg-descr file for the port.  If the
>> port is not fixed or forbidden, and it has the backdoor, the fact should
>> at least be documented there.
> 
> 
> I don't see how such a backdoor can be left in the package, even if there
> is a warning in pkg_descr.
> This is a potential remote exploit after all.


Hello All,

What do you think about this message when someone attempt to fetch the port:

make fetch
Sorry, this package cannot be fetched automagically.
Point your browser to http://iblinux.rios.co.jp/intl/dloadfb/.
And put the package in /usr/ports/distfiles.
IMPORTANT NOTE: a security comprise has been detected for this package.
Don't install this package on a server connected to the Internet or
in insecure environments.
Read http://www.cert.org/advisories/CA-2001-01.html for more information.


Would this enough to remove the FORBIDDEN flag?

I'm attempting to get the patch for the FreeBSD platform, so this is 
just an intermediate solution.


I'm also attempting to make an InterBase 6 firebird port as a more 
secure InterBase 6.


Groetjes,

Berend. (-:



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message