[23647] in bugtraq
Re: Remote Root Hole in FreeBSD Ports
daemon@ATHENA.MIT.EDU (networkingysistemas networkingysis)
Sat Dec 29 14:27:53 2001
Date: Sat, 29 Dec 2001 10:41:02 +0100 (MET)
Message-ID: <2976920.1009618862538.JavaMail.nobody@proxywap.airtel.net>
From: networkingysistemas networkingysistemas xxx <rdelcampo@airtel.net>
To: Horms <horms@vergenet.net>
To: bugtraq <bugtraq@bugtraq.org>
Cc: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
In-Reply-To: <20011227024139.GA8638@verge.net.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
----- Mensaje original -----
> This notice is in reference to a reported root hole in the FreeBSD port of
> perdition and more specifically the library vanessa_logger that it
> requires.
>
> http://www.securityfocus.org/archive/1/247148
>
> First I would like to express great dismay that this was published on a
> public list (BugTraq) without prior consultation with the author (myself)
> or to my knowledge the maintainer of the FreeBSD port, Konstantinos
> Konstantinidis.
>
> There is a string format bug in vanessa_logger 0.0.1 which is what the post
> to BugTraq makes reference to. FreeBSD, was at the time of the posting
> shipping this vulnerable version.
>
> vanessa_logger 0.0.2, released on the 29th of June 2001, is not vulnerable
> to this exploit. FreeBSD have released a patched version of vanessa_logger
> 0.0.1 which is also not vulnerable. Users should upgrade to either of
> these.
>
> vanessa_logger 0.0.2 is available from
> ftp://ftp.vergenet.net/pub/vanessa/vanessa_logger/0.0.2
>
> At this time I would also like to highlight the importance of running
> perdition as a non-root user. The --username and --group options enable
> perdition to run as non-root for most of a processes life. If these options
> are used then the potential risk from any exploits stemming from the string
> format bug in vanessa_logger are significantly reduced.
>
> For more information on perdition please see
> http://vergenet.net/linux/perdition/
>
> --
> Horms
> Author of perdition and vanessa_logger
