From owner-cvs-all  Tue Apr 17  1:50:21 2001
Delivered-To: cvs-all@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27])
	by hub.freebsd.org (Postfix) with ESMTP
	id 513C337B43F; Tue, 17 Apr 2001 01:50:15 -0700 (PDT)
	(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id E83BC66E07; Tue, 17 Apr 2001 01:50:14 -0700 (PDT)
Date: Tue, 17 Apr 2001 01:50:14 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: Maxim Sobolev <sobomax@FreeBSD.org>
Cc: Kris Kennaway <kris@FreeBSD.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: Re: cvs commit: ports/comms/minicom Makefile
Message-ID: <20010417015014.A44605@xor.obsecurity.org>
References: <200104170807.f3H878m78129@freefall.freebsd.org> <3ADC01C1.191316BC@FreeBSD.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3ADC01C1.191316BC@FreeBSD.org>; from sobomax@FreeBSD.org on Tue, Apr 17, 2001 at 11:41:37AM +0300
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


--DocE+STaALJfprDB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Apr 17, 2001 at 11:41:37AM +0300, Maxim Sobolev wrote:
> Kris Kennaway wrote:
>=20
> > kris        2001/04/17 01:07:08 PDT
> >
> >   Modified files:
> >     comms/minicom        Makefile
> >   Log:
> >   Mark FORBIDDEN; this port allows a local exploit yielding uid uucp
> >
> >   Submitted by: empathy@feelings.com
>=20
> Perhaps more appropriate interim solution would be to just lift off
> setuid bit from the executable instead of marking the whole thing
> FORBIDDEN.

Well, I didn't think it would work then because of inability to create
lockfiles..we could make the lock directory sticky, downgrading the
problem to the ability for a local user to DoS the program (pretty
trivial problem), but I don't have time to do that.

Kris

--DocE+STaALJfprDB
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE63APGWry0BWjoQKURAq1RAJsEOuL4F9KTWhgeRguxF9FiQF7ZhwCeL8Pz
kRQ8lgT4NDWpxKkSDMhHDHY=
=eFWq
-----END PGP SIGNATURE-----

--DocE+STaALJfprDB--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message