Summarizing the replies... > 1. Overflow in CAC.Washington.EDU ipop3d 4.xx > 2. Overflow in pine 4.xx (Linux) Mark Crispin, on devel list: "...however, that only affects either an index or a stat buffer, neither of which is subsequently used. Furthermore, even if there was an overflow, it is impossible to use this to gain superuser access. This lock access is only done by a process after being logged in as the user." So he claims it is NOT exploitable. Not true. It IS exploitable, please just type 'gdb' and take a better look on what happens. While root privledges are dropped, anyone who thinks that ipop3d couldn't be exploited to gain any privledges, is wrong! Take a look on open file descriptors, Mark. Problem should be fixed in next release of IMAP package. > 3. Lockfile vunerability in pine 4.xx (Linux) > 4. Lockfile vunerability in ipop3d 4.xx It has been addressed as 'negative value' problem. The problem is buggy negotiation protocol, not negative, positive or any other PID itself (disallowing negative values won't prevent attacker from killing choosen processes). So, as today, there's no chance for complete solution on /tmp mailbox locks. > 5. Linux 2.x IPC vunerability As Solar Designer said, there are 'beancounter' feature (or per-user limits, instead of per-process). Probably it will be implemented in 2.2.x kernels soon. As today, it's hard to control detached IPC pages. > 7. Midnight Commander 4.x bugs (x2) While Miguel de Icaza claims there's no known bugs in mc, Pavel Machek confirmed that there are still not fixed races. Thank you. _______________________________________________________________________ Michal Zalewski [lcamtufat_private] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:47 PDT