[15438] in bugtraq
Re: rh 6.2 - gid compromises, etc
daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu Jun 22 21:41:04 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <ylitv2hazo.fsf@windlord.stanford.edu>
Date: Wed, 21 Jun 2000 16:26:19 -0700
Reply-To: Russ Allbery <rra@STANFORD.EDU>
From: Russ Allbery <rra@STANFORD.EDU>
X-To: Michal Zalewski <lcamtuf@TPI.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Michal Zalewski's message of "Wed, 21 Jun 2000 12:54:08 +0200"
Michal Zalewski <lcamtuf@TPI.PL> writes:
> Under some conditions, inews can be used in the same way, but bug
> is hidden a little bit deeper. I'll leave it as an exercise to
> readers (and maintainers - please audit your code, not only fix
> published bugs),
inews is no longer installed setgid in the current versions of INN, and I
recommend that other packagers of INN make that change as well. I have
gone through the code a few times to try to clean it up, but it is in dire
need of a complete rewrite (which would be less work than a full audit,
frankly) and I would not recommend giving it enhanced privileges until
that's been done.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
