|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Tue, 7 Dec 2004 23:44:57 -0500 (EST) From: "David F. Skoll" <dfs@roaringpenguin.com> To: Mandrake Linux Security Team <security@linux-mandrake.com> Cc: bugtraq@securityfocus.com In-Reply-To: <20041207023644.9517.qmail@updates.mandrakesoft.com> Message-ID: <Pine.LNX.4.58.0412072343360.7244@shishi.roaringpenguin.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Mon, 7 Dec 2004, Mandrake Linux Security Team wrote: > Max Vozeler discovered a vulnerability in pppoe, part of the rp-pppoe > package. When pppoe is running setuid root, an attacker can overwrite > any file on the system. As the author of rp-pppoe, I take exception to this being reported as a "vulnerability". pppoe is NOT designed to run setuid-root. You may as well claim that a setuid "cat" has a vulnerability that lets it read arbitrary files. Any Linux distro that installs pppoe setuid root is just plain dangerous. -- David.
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |