[980] in bugtraq
Re: Solaris 2.3-2.4 Audit Bug
daemon@ATHENA.MIT.EDU (Mark Graff )
Mon Feb 13 18:27:38 1995
Date: Mon, 13 Feb 1995 10:07:44 -0800
From: Mark.Graff@Eng.Sun.COM ( Mark Graff )
To: bugtraq@fc.net, dowiii@charlie.ksu.ksu.edu
Dow,
The answer to your question is that we maintain a mail alias,
security-alert@sun.com, to receive reports like this; and any
of the Answer Centers world-wide, I believe, would accept such
a report as well.
This sounds like the same bug we are about to release a patch
for. It's our policy to have patches available for all of the
affected platforms, then announce the bug and the patches
together.
I will contact you privately for details, then put a followup
note here within a day or two.
Mark G. Graff
415-688-9151
security-alert@sun.com
From owner-bugtraq@fc.net Sat Feb 11 15:30:11 1995
Subject: Solaris 2.3-2.4 Audit Bug
To: bugtraq@fc.net
Date: Sat, 11 Feb 1995 16:55:32 -0600 (CST)
Precedence: bulk
I'm sorry if this has been discussed before.
There is a major security problem with auditing under solaris 2.3
and 2.4. If you run bsmconv to turn on auditing, any user can
break root very very easily. I'ld say more but I'ld like to give
sun at least a little bit of a chance to fix it first.
I have access to the source code for the os and have tracked down
the one line of bad code. How can I contact Sun to tell them the
problem with this line of code?????????????
---
dowiii@ksu.ksu.edu
Dow Summers
Computing and Network Services
Kansas State University
