From owner-freebsd-security Tue Jun 3 11:17:54 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA13720 for security-outgoing; Tue, 3 Jun 1997 11:17:54 -0700 (PDT) Received: from wrzx07.rz.uni-wuerzburg.de (wrzx07.rz.uni-wuerzburg.de [132.187.1.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA13715 for ; Tue, 3 Jun 1997 11:17:51 -0700 (PDT) Received: from wicx50.informatik.uni-wuerzburg.de (mail@wicx50.informatik.uni-wuerzburg.de [132.187.9.50]) by wrzx07.rz.uni-wuerzburg.de (8.8.5/8.8.5) with SMTP id UAA20476; Tue, 3 Jun 1997 20:17:40 +0200 (MET DST) Received: by wicx50.informatik.uni-wuerzburg.de (8.6.12/uniwue-C-3.1a (CIP Gate)) id UAA09361; Tue, 3 Jun 1997 20:17:40 +0200 Received: from tahiti(132.187.9.20) by cipgate via smap (V1.3) id sma009359; Tue Jun 3 20:17:11 1997 Received: by wicx20.informatik.uni-wuerzburg.de (8.8.5/uniwue-C-3.1 (C)) id UAA25322; Tue, 3 Jun 1997 20:17:10 +0200 From: Matthias Buelow Message-Id: <199706031817.UAA25322@wicx20.informatik.uni-wuerzburg.de> Subject: Re: Security problem with FreeBSD 2.2.1 default installation To: ghelmer@cs.iastate.edu (Guy Helmer) Date: Tue, 3 Jun 1997 20:17:10 +0200 (MET DST) Cc: freebsd-security@freebsd.org In-Reply-To: from "Guy Helmer" at Jun 3, 97 01:07:33 pm Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > In fairness, I think there were patches in FreeBSD's perl for the earlier > sperl vulnerability having to do with seteuid/setegid (see FreeBSD > SA-96:12 from June 1996 at > ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-96%3A12.perl.asc). > > The newly-fixed problems have to do with buffer overflows. Well, I generally find it questionable to have such a huge program like the Perl interpreter installed as setuid/gid. You really can't control what's going on in those many 10KLOC, I dare to say that there are a lot of other security problems waiting for discovery in it. I'd rather NOT have an s-bit on this thingy as default.