From owner-freebsd-security  Tue Oct  3 22:23:11 2000
Delivered-To: freebsd-security@freebsd.org
Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139])
	by hub.freebsd.org (Postfix) with ESMTP id 4DBBE37B502
	for <freebsd-security@freebsd.org>; Tue,  3 Oct 2000 22:23:09 -0700 (PDT)
Received: (qmail 35608 invoked by uid 1000); 4 Oct 2000 05:24:19 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 4 Oct 2000 05:24:19 -0000
Date: Wed, 4 Oct 2000 00:24:19 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Matt Heckaman <matt@ARPA.MAIL.NET>
Cc: Mike Tancsa <mike@sentex.net>, freebsd-security@freebsd.org
Subject: Re: Fwd: BSD chpass
In-Reply-To: <Pine.BSF.4.21.0010040116090.79727-100000@epsilon.lucida.qc.ca>
Message-ID: <Pine.BSF.4.21.0010040022390.35602-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


On Wed, 4 Oct 2000, Matt Heckaman wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I've confirmed this to work on 3.5-STABLE as of Sep 21. It did NOT work on
> my 4.1-STABLE or 4.1.1-RELEASE machines, but they could still be
> vulnerable in a method outside the scope of the posted exploit. I just
> found out about this 5 minutes and ran to turn off the suid bit :P

Unless the nsswitch changes fixed it, 4.1.1 should still be vulnerable -
there are no messages in the cvs logs for chpass indicating any
security-related changes recently.  (For both FreeBSD and OpenBSD.)

Looks like the guy didn't want to talk to vendors before posting.

Mike "Silby" Silbersack



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message