| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Aug 2006 18:00:40 -0600
From: Vincent Danen <vdanen@...sec.ca>
To: Karol Wiesek <karol@...sek.pl>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Lesstif insecure file creation while executing
setuid libXm linked binaries vuln
* Karol Wiesek <karol@...sek.pl> [2006-08-05 00:49:34 +0200]:
> I've found only mandriva has suitable setuid binary
>
> details -> http://karol.wiesek.pl/files/lesstif-advisory.pdf
You don't indicate which version of mtink is installed or, rather, which
version of printer-utils is installed. The issue might be a two-parter,
but the mtink root shell issue was resolved last December with a
printer-utils update as noted in the changelog of the printer-utils
package:
* Thu Dec 29 2005 Stew Benedict <sbenedict@...driva.com> 2006-7.1.20060mdk
- security update for local root vuln in mtink (P103)
If you were not using this version then yes, the advisory would
probably work as indicated. As a result, with the updated printer-utils
package, you get a "/etc/ld.so.preload: Permission denied" error.
So you really should say that Mandriva has a suitable *unpatched* setuid
binary (not so suitable when you install a nine-month-old update).
--
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C A2BC 2EBC 5E32 FEE3 0AD4}
mysql> SELECT * FROM users WHERE clue > 0;
Empty set (0.00sec)
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists