[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security hole in dosemu package

On Thu, 14 Nov 1996, Daniel Quinlan wrote:

quinlan >Sorry for the resend of the bug, but I wanted to get it logged for
quinlan >future maintainers and actually warn the mailing list.

I think you misstated the issue. You are trying to parse a configuration
file and you see the error messages of dosemu when parsing it. Naturally
that configuration file is read while dosemu still has not dropped its
superuser priviledges. Get on the mailing list for dosemu and talk to the
guys. This is really a non debian specific security hole in dosemu.

quinlan >Red Hat 4.0 doesn't come with a `users' file at all.  That's probably
quinlan >safe enough that it can be setuid root.

Is it compiled to use the "users" file at all? Last that I know was that
RedHat had an older version of dosemu which might not support the
/etc/dosemu.users file. But that was awhile ago.

--- +++ --- +++ --- +++ --- +++ --- +++ --- +++ --- +++ ---
PGP Public Key  =  FB 9B 31 21 04 1E 3A 33  C7 62 2F C0 CD 81 CA B5 

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to: