Date: Tue, 3 Jun 1997 13:07:33 -0500 (CDT) From: Guy Helmer <ghelmer@cs.iastate.edu> To: Matthias Buelow <token@wicx50.informatik.uni-wuerzburg.de> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Security problem with FreeBSD 2.2.1 default installation Message-ID: <Pine.HPP.3.96.970603130216.9365B-100000@popeye.cs.iastate.edu> In-Reply-To: <199706031651.SAA24768@wicx20.informatik.uni-wuerzburg.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 3 Jun 1997, Matthias Buelow wrote: > > I just checked the bugtraq archives and found an exploit for sperl4.036 > > and sperl 5.00x on FreeBSD was posted April 21! > > I was already wondering when I freshly installed 2.1.5 half a year ago that > sperl 4.x was still setuid (I remember that Perl's unsafety was already > known at least when I was still running 2.1.0 and I also remember some old > CERT advisories mentioning freebsd ages ago). Since then it has become > routine for me to chmod 0 sperl/setuidperl etc. and I'm really wondering > how there could be people left who don't know of that ancient hole? I mean, > even some of my clueless Linux friends know about the sperl vulnerability. ;) In fairness, I think there were patches in FreeBSD's perl for the earlier sperl vulnerability having to do with seteuid/setegid (see FreeBSD SA-96:12 from June 1996 at ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-96%3A12.perl.asc). The newly-fixed problems have to do with buffer overflows. Guy Helmer, Computer Science Grad Student, Iowa State - ghelmer@cs.iastate.edu http://www.cs.iastate.edu/~ghelmer
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.HPP.3.96.970603130216.9365B-100000>