[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0208101658590.19883-100000@dent.suse.de>
From: draht at suse.de (Roman Drahtmueller)
Subject: Local Root Exploit
> To: vulnwatch@...nwatch.org, bugtraq@...urityfocus.com,
> vuln-dev@...urityfocus.com, lance@...eynet.org,
> full-disclosure@...ts.netsys.com, submissions@...ketstormsecurity.org
> Date: Fri, 9 Aug 2002 15:54:32 -0700
> Subject: [Full-Disclosure] Local Root Exploit
> Reply-To: full-disclosure@...ts.netsys.com
>
This exploit has been published _after_ SuSE Security have published the
packages for the bug on Thursday, August 8, 18:05MEST. I don't want to
claim that gobbles learnt about the bug from the changelogs, but it
definitely looks like.
It is correct that finding format string bugs should be left to the
professionals. This bug has been found by Sebastian Krahmer, SuSE
Security, during an internal code audit. Urgent and adverse matters kept
us from publishing it earlier. It looks like it was early enough.
Please update using the following command:
rpm -Fhv ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/i4l-2002.7.31-0.i386.rpm
ipppd is not installed setuid root any more with this update package.
Besides, I don't think that it is appropriate to carry out a catfight on a
security list.
> *
> * GENERIC FORMATSTRING EXPLOITS ARE SUPER DUPER FUN
> *
> * We're surprised that format bugs are allowed in 7350linux, but no one
> * is perfect. Finding format bugs is a difficult task, and should be left
> * to the professionals. A little known fact -- Paul Vixie invented
> * insecure programming. We wanted to get this bug squashed before some
> * "researcher" from snosoft.com discovered it and tried to make some money
> * off it. Help us in our mission to eliminate the existance of format bugs
> * in code.
> *
> * Greets:
[...]
Thanks,
Roman.
--
- -
| Roman Drahtm?ller <draht@...e.de> // "You don't need eyes to see, |
SuSE Linux AG - Security Phone: // you need vision!"
| N?rnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -
Powered by blists - more mailing lists