Re: [SECURITY] [DSA 522-1] New super packages fix format string vulnerability
On Sat, Jun 19, 2004 at 11:46:37AM +0200, Bernhard Kuemel wrote: > Matt Zimmerman wrote: > > >Package: super > >Vulnerability : format string > >Problem-Type : remote > > >Max Vozeler discovered a format string vulnerability in super, a > >program to allow specified users to execute commands with root > >privileges. This vulnerability could potentially be exploited by a > >local user to execute arbitrary code with root privileges. > > Why is the problem remote, when it can be exploited by a local user? Late night. -- - mdz
Re: [SECURITY] [DSA 522-1] New super packages fix format string vulnerability
On Sat, Jun 19, 2004 at 11:46:37AM +0200, Bernhard Kuemel wrote: > Matt Zimmerman wrote: > > >Package: super > >Vulnerability : format string > >Problem-Type : remote > > >Max Vozeler discovered a format string vulnerability in super, a > >program to allow specified users to execute commands with root > >privileges. This vulnerability could potentially be exploited by a > >local user to execute arbitrary code with root privileges. > > Why is the problem remote, when it can be exploited by a local user? Late night. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: password managers
On Tue, 15 Jun 2004 (10:46), Alberto Gonzalez Iniesta wrote: > autocmd BufReadPre,FileReadPre *.gpg,*.asc set viminfo= > autocmd BufReadPre,FileReadPre *.gpg,*.asc set noswapfile These auto-commands are very interesting... But there is an error: BufReadPre is _not_ executed if the file does not exist, so if you are editing a new file your viminfo setting are the defaults, leaving traces of your encrypted file in your .viminfo . I strongly suggest to add the event 'BufNewFile' to the first 2 autocmd, hoping this can resolve the problem. Ciao, Daniele -- JID: [EMAIL PROTECTED] (http://www.jabber.org) Free your mind signature.asc Description: Digital signature
Re: [SECURITY] [DSA 522-1] New super packages fix format string vulnerability
Hi Matt! Matt Zimmerman wrote: Package: super Vulnerability : format string Problem-Type : remote Max Vozeler discovered a format string vulnerability in super, a program to allow specified users to execute commands with root privileges. This vulnerability could potentially be exploited by a local user to execute arbitrary code with root privileges. Why is the problem remote, when it can be exploited by a local user? Bernhard -- Webspace; Low end Serverhousing ab 15 e, etc.: http://www.bksys.at Linux Admin/Programmierer: http://bksys.at/bernhard/services.html
Re: password managers
On Tue, 15 Jun 2004 (10:46), Alberto Gonzalez Iniesta wrote: > autocmd BufReadPre,FileReadPre *.gpg,*.asc set viminfo= > autocmd BufReadPre,FileReadPre *.gpg,*.asc set noswapfile These auto-commands are very interesting... But there is an error: BufReadPre is _not_ executed if the file does not exist, so if you are editing a new file your viminfo setting are the defaults, leaving traces of your encrypted file in your .viminfo . I strongly suggest to add the event 'BufNewFile' to the first 2 autocmd, hoping this can resolve the problem. Ciao, Daniele -- JID: [EMAIL PROTECTED] (http://www.jabber.org) Free your mind signature.asc Description: Digital signature
Re: [SECURITY] [DSA 522-1] New super packages fix format string vulnerability
Hi Matt! Matt Zimmerman wrote: Package: super Vulnerability : format string Problem-Type : remote Max Vozeler discovered a format string vulnerability in super, a program to allow specified users to execute commands with root privileges. This vulnerability could potentially be exploited by a local user to execute arbitrary code with root privileges. Why is the problem remote, when it can be exploited by a local user? Bernhard -- Webspace; Low end Serverhousing ab 15 e, etc.: http://www.bksys.at Linux Admin/Programmierer: http://bksys.at/bernhard/services.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Ticket creation failed
No permission to create tickets in the queue 'accounts' -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 521-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman June 18th, 2004 http://www.debian.org/security/faq - -- Package: sup Vulnerability : format string Problem-Type : remote Debian-specific: no CVE Ids: CAN-2004-0451 [EMAIL PROTECTED] discovered a format string vulnerability in sup, a set of programs to synchronize collections of files across a number of machines, whereby a remote attacker could potentially cause arbitrary code to be executed with the privileges of the supfilesrv process (this process does not run automatically by default). CAN-2004-0451: format string vulnerabilities in sup via syslog(3) in logquit, logerr, loginfo functions For the current stable distribution (woody), this problem has been fixed in version 1.8-8woody2. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you update your sup package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2.dsc Size/MD5 checksum: 538 f5817f83647a677ec6781c9d55843307 http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2.diff.gz Size/MD5 checksum: 6859 7b9cf999b1fb2c7662024ceb0c498039 http://security.debian.org/pool/updates/main/s/sup/sup_1.8.orig.tar.gz Size/MD5 checksum: 65 76371f01340ce62cd71687349c5aa27e Alpha architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_alpha.deb Size/MD5 checksum: 103714 62123f3b8178825af23107d24c843bd1 ARM architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_arm.deb Size/MD5 checksum:82756 a866d4f3b3fdbdb86e2db7ba745ea480 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_i386.deb Size/MD5 checksum:82624 580ca0b977cc27212c4e7778b435d4f3 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_ia64.deb Size/MD5 checksum: 127664 cf7db9e24bbf333da16343bcdc5e9e82 HP Precision architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_hppa.deb Size/MD5 checksum:94516 371292e2eaec3f04d49c8b29cb6e82ed Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_m68k.deb Size/MD5 checksum:76454 4144ec09078326ba8e3facc6bef0e3b8 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_mips.deb Size/MD5 checksum:96814 c7e843b2ac5573c792c8c45910717f07 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_mipsel.deb Size/MD5 checksum:96452 c0558b55bce77470e1d9d52b515d39e1 PowerPC architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_powerpc.deb Size/MD5 checksum:85246 06e0683ba5c24a406a02b131304a6e6f IBM S/390 architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_s390.deb Size/MD5 checksum:84656 b1e6f251fc3a22eb43d9bbd3044828bc Sun Sparc architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_sparc.deb Size/MD5 checksum:89948 b8965ae16901df1eb9eb64faa8169d39 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA07eRArxCt0PiXR4RArlSAJ4iW4GblVHLWXwzearT+H4mGQcg/gCgiViY A2Pf/3Y9xupsEwnFSH+Cr5w= =yjyQ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]