Summarizing the replies...
> 1. Overflow in CAC.Washington.EDU ipop3d 4.xx
> 2. Overflow in pine 4.xx (Linux)
Mark Crispin, on devel list: "...however, that only affects either an
index or a stat buffer, neither of which is subsequently used.
Furthermore, even if there was an overflow, it is impossible to use this
to gain superuser access. This lock access is only done by a process
after being logged in as the user."
So he claims it is NOT exploitable. Not true. It IS exploitable, please
just type 'gdb' and take a better look on what happens. While root
privledges are dropped, anyone who thinks that ipop3d couldn't be
exploited to gain any privledges, is wrong! Take a look on open file
descriptors, Mark. Problem should be fixed in next release of IMAP
package.
> 3. Lockfile vunerability in pine 4.xx (Linux)
> 4. Lockfile vunerability in ipop3d 4.xx
It has been addressed as 'negative value' problem. The problem is buggy
negotiation protocol, not negative, positive or any other PID itself
(disallowing negative values won't prevent attacker from killing choosen
processes). So, as today, there's no chance for complete solution on /tmp
mailbox locks.
> 5. Linux 2.x IPC vunerability
As Solar Designer said, there are 'beancounter' feature (or per-user
limits, instead of per-process). Probably it will be implemented in
2.2.x kernels soon. As today, it's hard to control detached IPC pages.
> 7. Midnight Commander 4.x bugs (x2)
While Miguel de Icaza claims there's no known bugs in mc, Pavel Machek
confirmed that there are still not fixed races.
Thank you.
_______________________________________________________________________
Michal Zalewski [lcamtufat_private] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:47 PDT