Re: Slrnpull Buffer Overflow (-d parameter)

From: Bill Nottingham (nottingat_private)
Date: Tue Apr 30 2002 - 09:08:56 PDT

Next message: Jordan K Wiens: "Re: Reading local files in Netscape 6 and Mozilla (GM#001-NS)"

Previous message: Peter Gründl: "KPMG-2002016: Bea Weblogic incorrect URL parsing issues"
In reply to: Alex Hernandez: "Slrnpull Buffer Overflow (-d parameter)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Alex Hernandez (alex_hernandezat_private) said: 
> Linux RH.6.2 Sparc64 and below versions.

On Red Hat Linux 6.2 for sparc:

# ls -l /usr/bin/slrnpull
-rwxr-s---    1 news     news        48688 Feb  7  2000 /usr/bin/slrnpull 
# rpm -q slrn-pull
slrn-pull-0.9.6.2-4

With all updates applied:

# ls -l /usr/bin/slrnpull
-rwxr-s---    1 root     news        55456 Mar  1  2001 /usr/bin/slrnpull
# rpm -q slrn-pull
slrn-pull-0.9.6.4-0.6

Hence, while you may be able to get group news, the program is only
runnable by group news. So, I don't think there are any security
implications here.

Bill

Next message: Jordan K Wiens: "Re: Reading local files in Netscape 6 and Mozilla (GM#001-NS)"
Previous message: Peter Gründl: "KPMG-2002016: Bea Weblogic incorrect URL parsing issues"
In reply to: Alex Hernandez: "Slrnpull Buffer Overflow (-d parameter)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 30 2002 - 12:28:39 PDT