[17044] in bugtraq
Re: OpenBSD Security Advisory
daemon@ATHENA.MIT.EDU (Todd C. Miller)
Wed Oct 4 14:31:21 2000
Message-Id: <200010041731.e94HVN719919@xerxes.courtesan.com>
Date: Wed, 4 Oct 2000 11:31:23 -0600
Reply-To: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
From: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
X-To: K2 <ktwo@KTWO.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Wed, 04 Oct 2000 00:31:03 PDT."
<39DADCB7.4E416D8B@ktwo.ca>
In message <39DADCB7.4E416D8B@ktwo.ca>
so spake K2 (ktwo):
> Here is another exploit for an application (fstat) that
> OpenBSD's
> format string audit has seemingly forgotten about. What I would like to
> know is why this and a number of other privileged applications have
> security vulnerabilities in them. They WERE fixed, but NO ADVISORY nor
> ANY MENTION IN THEIR DAILY CHANGLOG! How can the impact of the
> vulnerability not be realized when they occur in something as privileged
> as that would be using pw_error()?
As one of the people who took part in the audit I can honestly say
that we didn't think they *were* exploitable. There was no intention
of hiding any fixes, we just went through the entire source tree
(we did not target privileged programs specifically) and fixed
format string problems where we found them and released patches for
those we knew to be exploitable (like xlock).
None of us are in the business of writing exploits--we just fix broken
code...
- todd
