It is interesting to note that the gnuplot on my system is NOT suid root (nor have I modified the default installed settings). My version is 3.5 patchlevel 3.50.1.17 (i.e. very old). The distribution is Slackware. I agree with xnec in that I can see no good reason to make it suid root. Anyone know why this was done? Anytime a program is going to do this, a full audit should be made - some people take the suid bit not seriously enough. Simply running strings against it should cause someone looking at that output to feel a bit suspicious. Granted, the suid bit might be placed by the distribution and not the program's author. Finally, thanks to xnec for providing BOTH the exploit and the fix which is how it should be done on a full disclosure list. - Speed_D
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:04 PDT