From owner-freebsd-security  Thu Jul 11 21:23:26 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id VAA28712
          for security-outgoing; Thu, 11 Jul 1996 21:23:26 -0700 (PDT)
Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA28704
          for <freebsd-security@freebsd.org>; Thu, 11 Jul 1996 21:23:23 -0700 (PDT)
Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id WAA04487; Thu, 11 Jul 1996 22:23:07 -0600 (MDT)
Date: Thu, 11 Jul 1996 22:23:07 -0600 (MDT)
Message-Id: <199607120423.WAA04487@rocky.mt.sri.com>
From: Nate Williams <nate@mt.sri.com>
To: Brian Tao <taob@io.org>
Cc: Dan Polivy <danp@carebase3.jri.org>, freebsd-security@freebsd.org
Subject: Re: is FreeBSD's rdist vulnerable?
In-Reply-To: <Pine.NEB.3.92.960711235818.29155E-100000@zap.io.org>
References: <Pine.BSF.3.91.960703191714.1090A-100000@carebase3.jri.org>
	<Pine.NEB.3.92.960711235818.29155E-100000@zap.io.org>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Brian Tao writes:
> On Wed, 3 Jul 1996, Dan Polivy wrote:
> >
> > Has anyone read 8lgm's rdist advisory and attempted to see whether or not
> > FreeBSD's rdist is vulnerable?  I use rdist to update various files here,
> > and so I suppose getting id of the setuid bit would break it?  Thanks...
> 
>     It is indeed vulnerable.  I've mailed security-officer@freebsd.org
> the exploit so someone can fix it right away.  2.1.0R and all the 2.2
> snapshots are vulnerable.  I haven't tried any of the 2.1.5 releases.

I *just* made some sprintf() -> snprintf() changes to current's rdist.
If I sent you the patches could you check them out and see if it fixes
the bug?  They are pretty innocuous patches, and could be brought into
-stable if it's not too late if it turns out they fix the bug.



Nate