[12409] in bugtraq
Re: Amanda multiple vendor local root compromises
daemon@ATHENA.MIT.EDU (Alexandre Oliva)
Tue Nov 2 13:10:27 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <or904hce92.fsf@garnize.lsd.ic.unicamp.br>
Date: Tue, 2 Nov 1999 09:41:13 -0200
Reply-To: oliva@LSD.IC.UNICAMP.BR
From: Alexandre Oliva <oliva@LSD.IC.UNICAMP.BR>
X-To: monti <monti@USHOST.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: monti's message of "Mon, 1 Nov 1999 17:54:44 -0600"
On Nov 1, 1999, monti <monti@USHOST.COM> wrote:
> I confirmed a few exploitable buffer overflows in multiple suid's on an
> earlier version of amanda on BSDI as well a while back. As I recollect
> 'runtar' was one of them.
It's probably time to refresh your view :-)
Amanda has undergone a major security auditing before release 2.4.0
final (the latest stable release is 2.4.1p1), in which a couple of
security problems have been fixed, and a lot of security problem-prone
constructs have been reworked to avoid buffer overflows and such.
Anyway, we'd be very interested in being informed (preferably in
advance :-) if any problems remained, or if any new ones have been
introduced.
Thanks for your concern.
--
Alexandre Oliva http://www.ic.unicamp.br/~oliva IC-Unicamp, Bra[sz]il
oliva@{lsd.ic.unicamp.br,guarana.{org,com}} aoliva@{acm,computer}.org
oliva@{gnu.org,kaffe.org,{egcs,sourceware}.cygnus.com,samba.org}
** I may forward mail about projects to mailing lists; please use them
