[4033] in bugtraq
Re: IRIX: Bug in startmidi
daemon@ATHENA.MIT.EDU (Yuri Volobuev)
Mon Feb 10 20:22:27 1997
Date: Mon, 10 Feb 1997 16:06:39 -0600
Reply-To: Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
From: Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
X-To: David Hedley <hedley@cs.bris.ac.uk>
To: BUGTRAQ@netspace.org
In-Reply-To: <17557.855569553@maxx>
> YV> You must have some special configuration, I recon. On the box I
> YV> was testing on
>
> YV> showfiles | grep startmidi f 64563 18688 dmedia_eoe.sw.midi
> YV> usr/sbin/startmidi
> YV> It's Irix 5.3 with all security patches applied, plus DSE 1.1.
>
> This is what I get:
>
> showfiles | grep startmidi
>
> f 46022 18608 dmedia_eoe.sw.midi usr/sbin/startmidi
>
> This is on an unpatched 5.3 box. Looks like it was fixed at some point,
> although I can find no reference to it anywhere....
I checked where binary on my machine came from, it looks it originates from
DSE (Desktop Special Edition) distribution. At least the one on the DSE 1.0
CD I have is the same as the installed one (dealing with Irix inst is a
royal pain in ass).
So I guess saying that those who have original Irix 5.3 startmidi installed
are vulnerable, and those who have DSE installed are not would be a true
statement. Of course, it's only true about 5.3, I've no idea how things are
done in 6.2. I suspect it's fixed there, in the same way it was fixed in
DSE, but remembering the same sets of bugs found in 6.x after they were
found and fixed in 5.3, I'd be careful with any assumptions.
Thanks again to our friends in SGI for promptly notifying its customers about
known security problems, at cost of own prestige.
cheers,
yuri
Always speaking for myself, and only for myself
