> To: vulnwatchat_private, bugtraqat_private, > vuln-devat_private, lanceat_private, > full-disclosureat_private, submissionsat_private > Date: Fri, 9 Aug 2002 15:54:32 -0700 > Subject: [Full-Disclosure] Local Root Exploit > Reply-To: full-disclosureat_private > This exploit has been published _after_ SuSE Security have published the packages for the bug on Thursday, August 8, 18:05MEST. I don't want to claim that gobbles learnt about the bug from the changelogs, but it definitely looks like. It is correct that finding format string bugs should be left to the professionals. This bug has been found by Sebastian Krahmer, SuSE Security, during an internal code audit. Urgent and adverse matters kept us from publishing it earlier. It looks like it was early enough. Please update using the following command: rpm -Fhv ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/i4l-2002.7.31-0.i386.rpm ipppd is not installed setuid root any more with this update package. Besides, I don't think that it is appropriate to carry out a catfight on a security list. > * > * GENERIC FORMATSTRING EXPLOITS ARE SUPER DUPER FUN > * > * We're surprised that format bugs are allowed in 7350linux, but no one > * is perfect. Finding format bugs is a difficult task, and should be left > * to the professionals. A little known fact -- Paul Vixie invented > * insecure programming. We wanted to get this bug squashed before some > * "researcher" from snosoft.com discovered it and tried to make some money > * off it. Help us in our mission to eliminate the existance of format bugs > * in code. > * > * Greets: [...] Thanks, Roman. -- - - | Roman Drahtmüller <drahtat_private> // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - - _______________________________________________ Full-Disclosure - We believe in it. Full-Disclosureat_private http://lists.netsys.com/mailman/listinfo/full-disclosure
This archive was generated by hypermail 2b30 : Sat Aug 10 2002 - 08:38:53 PDT