From owner-freebsd-security Tue Mar 11 10: 0:40 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEDE037B401 for ; Tue, 11 Mar 2003 10:00:37 -0800 (PST) Received: from pol.dyndns.org (pol.net1.nerim.net [80.65.225.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A82D43F75 for ; Tue, 11 Mar 2003 10:00:33 -0800 (PST) (envelope-from guy@device.dyndns.org) Received: from oemcomputer.device.dyndns.org (partserver.pol.local [172.16.10.10]) by pol.dyndns.org (8.12.6/8.12.6) with ESMTP id h2BI0DM4015218 for ; Tue, 11 Mar 2003 19:00:17 +0100 (CET) Message-Id: <5.1.1.6.0.20030311185258.04022810@device.dyndns.org> X-Sender: guy@device.dyndns.org X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Tue, 11 Mar 2003 18:59:47 +0100 To: freebsd-security@FreeBSD.ORG From: "Guy P." Subject: Re: Prov. patch for the file hole ISS disclosed In-Reply-To: <20030311174126.GA57179@madman.celabo.org> References: <5.2.0.9.2.20030311113159.0386fea0@localhost> <200303061415.h26EFlhD004317@device.dyndns.org> <200303061415.h26EFlhD004317@device.dyndns.org> <5.2.0.9.2.20030311113159.0386fea0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 18:41 11/03/2003, Jacques A. Vidrine wrote: >On Tue, Mar 11, 2003 at 11:34:40AM -0600, Christopher Schulte wrote: > > At 09:41 AM 3/6/2003 -0600, Jacques A. Vidrine wrote: > > >Thanks! However, this has already been fixed in -CURRENT (by import > > >of FILE 3.41). I do not know whether or not David plans to MFC in > > >time for 4.8-RELEASE. > > > > I think this should be merged into the security branches, > > due to possible remote exploit by third party programs that > > use file, such as (at the very least) amavis. > >I tend to agree. > >David? FYI, amavis people just released a SA where they state "We expect that all distributors of free UNIX(R)-like operating systems will address the issue shortly." See http://marc.theaimsgroup.com/?l=amavis-user&m=104740298431088&w=2 Also wanted to mention that amavis provide a way to run its processes as a non-root user, but it take some work to achieve, so we can expect some people will have "delayed" doing so ( just as i did until i realized what implications it had :] ) -- G.P. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message