From owner-freebsd-security Tue Jun 10 12:22:22 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA26008 for security-outgoing; Tue, 10 Jun 1997 12:22:22 -0700 (PDT) Received: from cs.iastate.edu (cs.iastate.edu [129.186.3.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA25993 for ; Tue, 10 Jun 1997 12:22:18 -0700 (PDT) Received: from popeye.cs.iastate.edu (popeye.cs.iastate.edu [129.186.3.4]) by cs.iastate.edu (8.8.5/8.7.1) with ESMTP id OAA19497; Tue, 10 Jun 1997 14:22:02 -0500 (CDT) Received: from localhost (ghelmer@localhost) by popeye.cs.iastate.edu (8.8.5/8.7.1) with SMTP id OAA05348; Tue, 10 Jun 1997 14:22:01 -0500 (CDT) X-Authentication-Warning: popeye.cs.iastate.edu: ghelmer owned process doing -bs Date: Tue, 10 Jun 1997 14:21:59 -0500 (CDT) From: Guy Helmer To: Warner Losh cc: freebsd-security@FreeBSD.ORG Subject: Re: Security problem with FreeBSD 2.2.1 default installation In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 10 Jun 1997, Warner Losh wrote: > In message Guy Helmer writes: > : I just checked the bugtraq archives and found an exploit for sperl4.036 > : and sperl 5.00x on FreeBSD was posted April 21! > : > : I guess no one watches bugtraq?!? > > Sigh. > > Yes. I watch bug track. I also have a full time job. It takes me > about a week to get to the bugtraq bugs, and then up to two to four > weeks to get them fixed due to other time commitments that I have. If > no one else has the time, then the only way that is going to get > better will be if I'm paid to watch for these things and paid to spend > the time to fix them. > > I might also point out that the Bugtraq mail had no patches at all for > 4.x perl. I had to develop them on my own. > > Yes, it is important. However, there is only so much that can be done > given the resources that we have. Sorry, I did not mean to imply that nobody must be working on this. I meant that I had not heard anything in the FreeBSD security list about this exploit, so I was not aware that anyone (in a position to do something about it) was working on it. I realized after re-reading my message that it could offend anyone who was working on the problem, and it was not meant to. After a brief look at the perl 5 patches and the perl 4 source, it was quickly obvious that the perl 4 patch was non-trivially different. I've just started tracking current in the past couple of weeks, so I missed your fix. Thanks for your work, and apologies for the previous message. Guy Helmer, Computer Science Grad Student, Iowa State - ghelmer@cs.iastate.edu http://www.cs.iastate.edu/~ghelmer