[410] in linux-security and linux-alert archive
Re: (fwd) [Linux-ISP] U R G E N T!!!! S E C U R I T Y A L E R T!!!!!!! READ NOW!!
daemon@ATHENA.MIT.EDU (Greg Gallagher)
Fri Oct 6 15:42:22 1995
Date: Thu, 5 Oct 1995 09:30:35 -0500 (CDT)
From: Greg Gallagher <ggallag@orion.it.luc.edu>
To: Panzer Boy <panzer@dhp.com>
cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199510041528.LAA20720@dhp.com>
> I have recently discovered a security flaw in pop3d Version 1.004 with
> shadow password support. (Not sure about the version without shadow
> support, but you might want to check). I discovered that after changing
yeah ... the problem lies in that for some reason, the shadow library
doesn't compile in the object valid.o. I've no clue why, I didn't really
look too deeply into it, I just recompiled the popd and linked the
valid.o to it, and it worked like a charm. If this is the same problem
I'm thinking of, sorry I can't get line numbers, but the problem is with
the line that contains the valid() function in the pop source, I believe.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greg Gallagher <ggallag@luc.edu> | "When the fox gnaws--smile!"
Loyola University, student |
(312)973-9375 | -- L. L.
pgp key avilable upon request |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Wed, 4 Oct 1995, Panzer Boy wrote:
> Has anyone poked into this yet? I just gleamed it off of of the Linux ISP
> list. I am running pop from the pine imap code (w/ shadow changes) and
> wasn't able to verify this problem, though I don't usually run bins I
> gleam from sunsite, et al.
>
> pine3.91 imap/pop shadow patches can be grabbed from:
> ftp.dhp.com:/pub/linux/security/pine.shadow
>
> --
> -Matt (panzer@dhp.com) DI-1-9026
> "That which can never be enforced should not be prohibited."
>
>
> Path: news.dhp.com!news.dhp.com!not-for-mail
> From: System Administrator <root@maz.mlx.net>
> Newsgroups: mail.linux-isp
> Subject: [Linux-ISP] U R G E N T!!!! S E C U R I T Y A L E R T!!!!!!! READ NOW!!
> Date: 1 Oct 1995 19:19:35 -0400
> Message-ID: <Pine.LNX.3.91.951001154303.27369A-100000@maz.mlx.net>
> To: linuxisp@lightning.com
>
> to shadow support and compiling and testing all of my programs (i.e.
> ftpd, pop3d, login, etc) that the pop3d allowed me to view anyone mail on
> my system, no matter what password I put in. Thinking that it was maybe
> something I had wrong I telneted to the pop3 port on a few of the shadow
> linux systems I knew about. EVERY System I tried that was running 1.004
> allowed me to read anyone on that systems mail. I have looked at the
> code and have narrowed it down to the util.c file, but am in no way a
> very good c programmer. I am putting out this notice to warn everone and
> to hope that someone will come up with a fix very quickly. And since my
> newsfeed is down for the weekend would someone please post this on the
> newsgroups and anywhere else you might think it will get distributed the
> fastest. Thanks.
>
>
>
> /---------------------------------------------------------------------------\
> | John Maslanik |\/| | \ / Voice: (619) 449-6282 |
> | MLXnet Admin | | |__ / \ Data/Fax: (619) 449-6274 |
> \---------------------------------------------------------------------------/
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> To [un]subscribe to this list, contact linuxisp-request@lightning.com
> Please send contributions for the mailing list to: linuxisp@lightning.com
> Please contact the mailing-list-owner as: linuxisp-owner@lightning.com
>
