From owner-freebsd-security  Sat Sep  8 19: 4:37 2001
Delivered-To: freebsd-security@freebsd.org
Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42])
	by hub.freebsd.org (Postfix) with ESMTP
	id 367C137B401; Sat,  8 Sep 2001 19:04:31 -0700 (PDT)
Received: (from ache@localhost)
	by nagual.pp.ru (8.11.6/8.11.6) id f8924Ro34766;
	Sun, 9 Sep 2001 06:04:27 +0400 (MSD)
	(envelope-from ache)
Date: Sun, 9 Sep 2001 06:04:26 +0400
From: "Andrey A. Chernov" <ache@nagual.pp.ru>
To: Kris Kennaway <kris@obsecurity.org>
Cc: Jordan Hubbard <jkh@FreeBSD.ORG>, mike@sentex.net,
	security@FreeBSD.ORG
Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems.
Message-ID: <20010909060426.C34519@nagual.pp.ru>
References: <200109082103.f88L3fK29117@earth.backplane.com> <20010908181652H.jkh@freebsd.org> <5.1.0.14.0.20010908211920.02949008@192.168.0.12> <20010908182304C.jkh@freebsd.org> <20010908190103.A5814@xor.obsecurity.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="c3bfwLpm8qysLVxt"
Content-Disposition: inline
In-Reply-To: <20010908190103.A5814@xor.obsecurity.org>
User-Agent: Mutt/1.3.21i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--c3bfwLpm8qysLVxt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Sep 08, 2001 at 19:01:03 -0700, Kris Kennaway wrote:
> uucp binaries in question.  uustat is executed by default by root in
> /etc/periodic.

uustat must be executed by 'su -m uucp' in any case.

> There are other consequences of the underlying vulnerability (full
> read/write access to the /var/spool/uucp directories, for example), so

It can't be fixed without total UUCP redesign, it is their problem, not
ours.

--=20
Andrey A. Chernov
http://ache.pp.ru/

--c3bfwLpm8qysLVxt
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia

iQCVAwUBO5rOKuJgpPLZnQjrAQEt0wQA3fAFAPI0doie+Y9ZMBagAIJfwV/H27JP
1HJUP8/sHFQkL5odVAYdin1Z1F/b2lw/L9pwJwibpQTZQjlvEqceIA//ERch/Sdc
EO1F7bp2CJfi9LlPKEKgbImCTQcN1Og4OqzbUg3nV4NmEaO+rOnPlGS2LiZXVdOt
X6fv5kwnl9U=
=Rv4o
-----END PGP SIGNATURE-----

--c3bfwLpm8qysLVxt--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message