[25316] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Slrnpull Buffer Overflow (-d parameter)

daemon@ATHENA.MIT.EDU (Bill Nottingham)
Tue Apr 30 15:31:28 2002

Date: Tue, 30 Apr 2002 12:08:56 -0400
From: Bill Nottingham <notting@redhat.com>
To: Alex Hernandez <alex_hernandez@ureach.com>
Cc: bugtraq@securityfocus.com
Message-ID: <20020430120856.B6568@wierzbowski.devel.redhat.com>
Mail-Followup-To: Alex Hernandez <alex_hernandez@ureach.com>,
	bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200204222022.QAA30139@www20.ureach.com>; from alex_hernandez@ureach.com on Mon, Apr 22, 2002 at 04:22:17PM -0400

Alex Hernandez (alex_hernandez@ureach.com) said: 
> Linux RH.6.2 Sparc64 and below versions.

On Red Hat Linux 6.2 for sparc:

# ls -l /usr/bin/slrnpull
-rwxr-s---    1 news     news        48688 Feb  7  2000 /usr/bin/slrnpull 
# rpm -q slrn-pull
slrn-pull-0.9.6.2-4

With all updates applied:

# ls -l /usr/bin/slrnpull
-rwxr-s---    1 root     news        55456 Mar  1  2001 /usr/bin/slrnpull
# rpm -q slrn-pull
slrn-pull-0.9.6.4-0.6

Hence, while you may be able to get group news, the program is only
runnable by group news. So, I don't think there are any security
implications here.

Bill


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[25316] in bugtraq

Re: Slrnpull Buffer Overflow (-d parameter)

daemon@ATHENA.MIT.EDU (Bill Nottingham)Tue Apr 30 15:31:28 2002

daemon@ATHENA.MIT.EDU (Bill Nottingham)
Tue Apr 30 15:31:28 2002