From owner-freebsd-security  Fri Jul 12 15:25:20 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id PAA22768
          for security-outgoing; Fri, 12 Jul 1996 15:25:20 -0700 (PDT)
Received: from post.io.org (post.io.org [198.133.36.6])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA22759
          for <freebsd-security@freebsd.org>; Fri, 12 Jul 1996 15:25:16 -0700 (PDT)
Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id SAA06083; Fri, 12 Jul 1996 18:24:58 -0400 (EDT)
Date: Fri, 12 Jul 1996 18:24:57 -0400 (EDT)
From: Brian Tao <taob@io.org>
To: Nate Williams <nate@mt.sri.com>
cc: Dan Polivy <danp@carebase3.jri.org>, freebsd-security@freebsd.org
Subject: Re: is FreeBSD's rdist vulnerable?
In-Reply-To: <199607120423.WAA04487@rocky.mt.sri.com>
Message-ID: <Pine.NEB.3.92.960712182350.27070J-100000@zap.io.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Thu, 11 Jul 1996, Nate Williams wrote:
>
> I *just* made some sprintf() -> snprintf() changes to current's rdist.
> If I sent you the patches could you check them out and see if it fixes
> the bug?  They are pretty innocuous patches, and could be brought into
> -stable if it's not too late if it turns out they fix the bug.

    Sure, fire 'em over.  I suspect there are a lot of other programs
that may also have this type of vulnerability.  It's already been
exploited for syslog and rdist, but there are a hell of a lot of other
binaries that ship setuid root by default.
--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Senior Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"