From owner-freebsd-security Tue Jun 10 10:09:35 1997 Return-Path: <owner-security> Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id KAA17341 for security-outgoing; Tue, 10 Jun 1997 10:09:35 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id KAA17325 for <freebsd-security@freebsd.org>; Tue, 10 Jun 1997 10:09:32 -0700 (PDT) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 1.60 #1) id 0wbUPM-0001GK-00; Tue, 10 Jun 1997 11:08:36 -0600 To: Matthias Buelow <token@wicx50.informatik.uni-wuerzburg.de> Subject: Re: Security problem with FreeBSD 2.2.1 default installation Cc: ghelmer@cs.iastate.edu (Guy Helmer), freebsd-security@freebsd.org In-reply-to: Your message of "Tue, 03 Jun 1997 18:51:42 +0200." <199706031651.SAA24768@wicx20.informatik.uni-wuerzburg.de> References: <199706031651.SAA24768@wicx20.informatik.uni-wuerzburg.de> Date: Tue, 10 Jun 1997 11:08:35 -0600 From: Warner Losh <imp@village.org> Message-Id: <E0wbUPM-0001GK-00@rover.village.org> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199706031651.SAA24768@wicx20.informatik.uni-wuerzburg.de> Matthias Buelow writes: : I was already wondering when I freshly installed 2.1.5 half a year ago that : sperl 4.x was still setuid (I remember that Perl's unsafety was already : known at least when I was still running 2.1.0 and I also remember some old : CERT advisories mentioning freebsd ages ago). Since then it has become : routine for me to chmod 0 sperl/setuidperl etc. and I'm really wondering : how there could be people left who don't know of that ancient hole? I mean, : even some of my clueless Linux friends know about the sperl vulnerability. ;) I'm pretty sure it wasn't that ancient hole, but rather a newer one that was a buffer overflow. The ancient hole was different and fixed, if memory serves correctly. Warner