Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 2 Dec 1999 03:21:21 -0800
From:      Steve Reid <sreid@sea-to-sky.net>
To:        Sheldon Hearn <sheldonh@uunet.co.za>
Cc:        Bill Swingle <unfurl@dub.net>, security@FreeBSD.ORG, Jordan Hubbard <jkh@FreeBSD.ORG>
Subject:   Re: [btellier@USA.NET: Several FreeBSD-3.3 vulnerabilities]
Message-ID:  <19991202032121.A7470@grok.localnet>
In-Reply-To: <64661.944125995@axl.noc.iafrica.com>; from Sheldon Hearn on Thu, Dec 02, 1999 at 11:13:15AM %2B0200
References:  <19991201093242.A71817@dub.net> <64661.944125995@axl.noc.iafrica.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 02, 1999 at 11:13:15AM +0200, Sheldon Hearn wrote:
> query-pr: no PRs matched
> Looks to me like this chap's full of hot air.  I'm not saying the
> problems don't exist, but this guy doesn't seem to have done much to
> contact us, eh?

It may be that he contacted the port maintainer and/or security-officer
through email rather than using the PR system.

As long as we're on the subject I may as well relay my own experience...

Some time ago I found a root exploit in a third-party package installed
via ports. I wasn't sure if it was freebsd-specific so I emailed the
port maintainer and the people originally responsible for the software.

I only got a response from the port maintainer, who responded within a
day or so. It turns out the problem is (Free?)BSD specific, and I
figured an email exchange with the port maintainer would be sufficient,
so I didn't think about filing a PR.

I proposed a temporary fix that would reduce the vulnerability such that
it was still serious but no longer instant root. I kept checking the
port's patches directory to see if my temporary fix was applied but
there were no changes in the patches directory (note: I didn't check the
distfiles). Instead a strong warning message about a security hole
appeared in the pkg/DESCR.

A couple of days after the exchange I emailed the port maintainer again
with patches to correct the problems I had found. I don't know if the
patches completely solved all of the problems (stopped looking after I
found two root exploits in 5-10 minutes) or even if the patches were
correct, but I didn't get any further response.

I just checked out the port. The temporary fix appears to have been
applied. The warning message is gone. The patches I offered were never
applied, and there was an equivalent change for only one of the bugs (a
buffer overflow). The other bug can only be solved by dropping
privileges at an appropriate time, which is not done. The program can
still be easily expoited and the problem has not really been solved.

I'd say the severity remains as bad as the holes that started this
thread, if not worse.

When I saw the warning in pkg/DESCR I figured I'd wait a couple weeks
then post to Bugtraq, but never got around to it. I'll try the port
maintainer again first.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991202032121.A7470>