|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: MDKSA-2004:145 - Updated rp-pppoe packages fix vulnerability
From: David F. Skoll (dfs
roaringpenguin.com)
Date: Tue Dec 07 2004 - 22:44:57 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 7 Dec 2004, Mandrake Linux Security Team wrote:
> Max Vozeler discovered a vulnerability in pppoe, part of the rp-pppoe
> package. When pppoe is running setuid root, an attacker can overwrite
> any file on the system.
As the author of rp-pppoe, I take exception to this being reported as
a "vulnerability". pppoe is NOT designed to run setuid-root. You may
as well claim that a setuid "cat" has a vulnerability that lets it read
arbitrary files.
Any Linux distro that installs pppoe setuid root is just plain dangerous.
--
David.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]