cmasonUNIXZONE.COM

• Next message: Linux Mandrake Security Team: "MDKSA-2000:041 - xpdf update"
• Previous message: bugzillaREDHAT.COM: "[RHSA-2000:053-04] Updated usermode packages."
• In reply to: Stan Bubrouski: "Advisory: mgetty local compromise"
• Next in thread: Cy Schubert - ITSD Open Systems Group: "Re: Advisory: mgetty local compromise"
• Reply: Chris L. Mason: "Re: Advisory: mgetty local compromise"
• Reply: Cy Schubert - ITSD Open Systems Group: "Re: Advisory: mgetty local compromise"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Aug 26, 2000 at 02:23:05AM -0400, Stan Bubrouski wrote:
...
>
> Believed to be vulnerable:
>
...
> OpenBSD 2.7? (mgetty is included in ports packages)

Looks like someone else realized this at least a couple weeks ago.

$ make
===> mgetty-1.1.21 is marked as broken: insecure tempfile handling: can
overwrite any file on the system.

The cvs log shows:

----------------------------
revision 1.17
date: 2000/08/15 19:38:18; author: brad; state: Exp; lines: +2 -2
even better reason why this should be marked BROKEN,
insecure tempfile handling: can overwrite any file on the system
----------------------------

I'm sure this will be updated to 1.1.22 after an audit is done. :)

Chris

• Next message: Linux Mandrake Security Team: "MDKSA-2000:041 - xpdf update"
• Previous message: bugzillaREDHAT.COM: "[RHSA-2000:053-04] Updated usermode packages."
• In reply to: Stan Bubrouski: "Advisory: mgetty local compromise"
• Next in thread: Cy Schubert - ITSD Open Systems Group: "Re: Advisory: mgetty local compromise"
• Reply: Chris L. Mason: "Re: Advisory: mgetty local compromise"
• Reply: Cy Schubert - ITSD Open Systems Group: "Re: Advisory: mgetty local compromise"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]