From owner-freebsd-security Tue Oct 3 23: 8:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 9CE1237B502 for ; Tue, 3 Oct 2000 23:08:42 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id AAA27863; Wed, 4 Oct 2000 00:08:26 -0600 (MDT) Message-Id: <4.3.2.7.2.20001003235232.0499b980@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 04 Oct 2000 00:08:23 -0600 To: Matt Heckaman , Mike Tancsa From: Brett Glass Subject: Re: Fwd: BSD chpass Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <4.2.2.20001004011210.035225e0@mail.sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org 4.1-RELEASE and 4.1-STABLE do not seem to be vulnerable because the format string bug upon which the exploit relies is gone. (It took me awhile to hunt this one down. It was in /src/usr.sbin/vipw/pw_util.c -- not in the directory with the source for chpass itself.) 4.0-RELEASE and all earlier releases I've tested seem to be vulnerable. --Brett At 11:16 PM 10/3/2000, Matt Heckaman wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >I've confirmed this to work on 3.5-STABLE as of Sep 21. It did NOT work on >my 4.1-STABLE or 4.1.1-RELEASE machines, but they could still be >vulnerable in a method outside the scope of the posted exploit. I just >found out about this 5 minutes and ran to turn off the suid bit :P To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message