[16428] in bugtraq
Re: Advisory: mgetty local compromise
daemon@ATHENA.MIT.EDU (Stan Bubrouski)
Tue Aug 29 11:45:01 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-ID: <4.3.1.2.20000828155950.00a78d10@pop.crosswinds.net>
Date: Mon, 28 Aug 2000 16:16:43 -0400
Reply-To: Stan Bubrouski <satan@FASTDIAL.NET>
From: Stan Bubrouski <satan@FASTDIAL.NET>
X-To: Gert Doering <gert@GREENIE.MUC.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000826165612.H20258@greenie.muc.de>
At 04:56 PM 8/26/00 +0200, Gert Doering wrote:
> > See I had actually reported this to bugtraq over two months ago,
>
>You haven't.
Yes I did.
>You have reported this to RedHat's "bugzilla" database, which is something
>completely different.
Yeah I reported it there too, but I did also post it to Bugtraq.
>Checking the bugtraq archives, there are exactly two articles containing
>the word "faxrunq". Both are written by me, in July 1997 - seems that
>your article from today is not yet indexed. Other articles from July this
>year are certainly visible.
Here's my post
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=20000622064042.29536.qmail@securityfocus.com
I got back from a trip today and found it by actually looking in the bugraq
archives.
Not too difficult, took me no time to find it. Wow, guess I was telling
the truth. You're
right though, the search does not find it.
Here's a quote directly from the original Bugtraq post on June 21.
"The Mgetty-sendfax package has a symlink problem as well.
When faxrunqd is run it creates a file named .last_run
in the world-writable /var/spool/fax/outgoing directory
and wouldn't you know it follows symlinks and gladly
smashes any file you feel like smashing. More details
can be found at:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11874"
I mentioned it in a thread about Red Hat 6.2 compromises, which is exactly
why I decided to repost the vulnerability to the list again to make sure it
got proper attention.
> > and only one vendor addressed
> > the problem and they did it covertly so nobody knew.
>
>The "vendor" of mgetty+sendfax is *me*. You have not notified me, or the
>mgetty mailing list.
Yeah I noticed. Congratulations. I was referring to the vendor of a Linux
distribution. And BTW covertly is the wrong word in the above excerpt,
I should have said without notify users as it is clearer.
>[..]
> > I only made this report to clarify the vulnerability and because it had
> now been
> > fixed.
>
>In that case, please re-read the stuff before you post. What you did was
>to cause much fuzz, much panic ("what, 1.1.22 vulnerable as well?"), and
>no good.
Rereading didn't help. I posted it early in the morning, perhaps too early.
And what panic? I still don't see any linux vendors jumping at the
opportunity to release new packages for their current distros. Some
"panic." ;-)
I really can't give you any explanation for the inexplicable.
>The fact that there was this bug in 1.1.21 has been clearly reported in the
>mgetty list (and it's in the ChangeLog), and Linux distribution vendors
>usually pick up new releases quite quickly, so they should have fixed versions
>available RSN.
Yeah but most only include them in the next release of their distribution
unless
they feel there is potential for mischief or headaches.
>[..]
> > > Second, I am really annoyed to find this on bugtraq, with false data,
> > > without any prior contact. The fact that I just released 1.1.22 should
> > > give you enough hint that I am still maintaining mgetty, and sending me a
> > > quick mal "hey, is this bug still open?" would have been in order.
> >
> > Not sure I understand this. I thought thats what vendors usually want.
> > A report on a vulnerability after a patch or fix is available.
>
>Huh? Vendors want the report on the vulnerability when you know about a
>problem, to be able to *develop* a fix.
>
>How do you think a vendor can develop a fix if you don't tell 'em?
>
>(Maybe we have different views what a "vendor" is. For mgetty+sendfax, I
>am, as the main author and coordinator).
I think of vendors as those who distribute the operating system
(commercially comes to mind)
and people who maintain software as maintainers. You're right there. A Linux
vendor fixed it in their distribution, thats what I was talking about.
> > If this is not
> > the case please let me know, I have scathing holes in other software that
> > are not public because they have yet to be fixed. Get real.
> > I don't get embarressed by a simple typo, do you?
>
>You better should. Claiming publically that something is vulnerable, even
>giving version numbers, when you really should know that it's fixed should
>be embarassing. That's much more than a "simple typo".
Yeah seriously, I don't know how I can sleep at night making such a grevious
error. Had I intended to make it seem as though 1.1.22 was vulnerable
I would have said versions 1.1.22 and previous are vulnerable, I wouldn't have
listed both. I don''t know why I didn't notice it. An error it an error
is an error.
You pointed out the error and I thought you made it clear the first time. Do
you like pouring salt in wounds or something?
-Stan
