lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20041005075653.3765c36e.vh@helith.net>
Date: Tue, 5 Oct 2004 07:56:53 +0200
From: van Helsing <vh@...ith.net>
To: Steve Kemp <steve@...ve.org.uk>
Cc: bugtraq@...urityfocus.com
Subject: Re: Buffer Overflow in Spider game

On Mon, 4 Oct 2004 20:23:46 +0100
Steve Kemp <steve@...ve.org.uk> wrote:

> On Sun, Oct 03, 2004 at 12:05:23PM +0300, Security Team wrote:
> 
> > A vulnerability has been discovered in the game spider, an
> > application contained in the Debian GNU/Linux distribution.
> > The vulnerability allows a local attacker to gain elevated
> > privileges by overflowing the -s parameter.
> > 
> > Impact:
> > The attacker can gain group privileges. By default "games".
> 
>   Neither Debian stable nor unstable contain any spider binaries
>  setuid or setgid.

*cut the linux crap ;)*

He didn't said DEBIAN is affected.
He just said it's contained in Debian.
I would take "contained" as example.... not as "only affected".
And he also didn't said something about getting r00t.
Just group privileges... (getting "games"-gid.. w00w00 ;)).

Even Debian dosn't setuid/setguid spider it's include and I'm sure the
author wouldn't report things wich don't work.

So get the "games"-gid with this error and be happy. ;-)
And spend honor to the guys who allow the "games"-group to use adduser. :)


vh

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ