lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.58.0412072343360.7244@shishi.roaringpenguin.com>
Date: Tue, 7 Dec 2004 23:44:57 -0500 (EST)
From: "David F. Skoll" <dfs@...ringpenguin.com>
To: Mandrake Linux Security Team <security@...ux-mandrake.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: MDKSA-2004:145 - Updated rp-pppoe packages fix vulnerability


On Mon, 7 Dec 2004, Mandrake Linux Security Team wrote:

>  Max Vozeler discovered a vulnerability in pppoe, part of the rp-pppoe
>  package.  When pppoe is running setuid root, an attacker can overwrite
>  any file on the system.

As the author of rp-pppoe, I take exception to this being reported as
a "vulnerability".  pppoe is NOT designed to run setuid-root.  You may
as well claim that a setuid "cat" has a vulnerability that lets it read
arbitrary files.

Any Linux distro that installs pppoe setuid root is just plain dangerous.

--
David.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ