Date: Tue, 17 Apr 2001 01:50:14 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Maxim Sobolev <sobomax@FreeBSD.org> Cc: Kris Kennaway <kris@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/comms/minicom Makefile Message-ID: <20010417015014.A44605@xor.obsecurity.org> In-Reply-To: <3ADC01C1.191316BC@FreeBSD.org>; from sobomax@FreeBSD.org on Tue, Apr 17, 2001 at 11:41:37AM %2B0300 References: <200104170807.f3H878m78129@freefall.freebsd.org> <3ADC01C1.191316BC@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 17, 2001 at 11:41:37AM +0300, Maxim Sobolev wrote: > Kris Kennaway wrote: >=20 > > kris 2001/04/17 01:07:08 PDT > > > > Modified files: > > comms/minicom Makefile > > Log: > > Mark FORBIDDEN; this port allows a local exploit yielding uid uucp > > > > Submitted by: empathy@feelings.com >=20 > Perhaps more appropriate interim solution would be to just lift off > setuid bit from the executable instead of marking the whole thing > FORBIDDEN. Well, I didn't think it would work then because of inability to create lockfiles..we could make the lock directory sticky, downgrading the problem to the ability for a local user to DoS the program (pretty trivial problem), but I don't have time to do that. Kris --DocE+STaALJfprDB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE63APGWry0BWjoQKURAq1RAJsEOuL4F9KTWhgeRguxF9FiQF7ZhwCeL8Pz kRQ8lgT4NDWpxKkSDMhHDHY= =eFWq -----END PGP SIGNATURE----- --DocE+STaALJfprDB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010417015014.A44605>