Re: Security hole in setuid packages

To: debian-devel@lists.debian.org
Subject: Re: Security hole in setuid packages
From: Daniel Quinlan <quinlan@proton.pathname.com>
Date: Fri, 15 Nov 96 12:42 PST
Message-id: <m0vOV5s-000SmIC@proton.pathname.com>
Reply-to: quinlan@pathname.com
In-reply-to: <328C98DC.2C1ADCB4@megabaud.fi>
References: <m0vOB8E-000SmHC@proton.pathname.com> <Pine.LNX.3.95.961114152532.2808A-100000@waterf.org> <m0vODg2-000SmHC@proton.pathname.com> <328C98DC.2C1ADCB4@megabaud.fi>

Daniel Quinlan wrote:

>> [...]
>> Anyway, here is my procedure for looking for likely vulnerable
>> programs.
>> [...]
>> -rwsr-xr-x   1 man      root        66701 Jul  7 13:56 man
>> -rwsr-xr-x   1 man      root        52521 Jul  7 13:56 mandb
>> [...]

Fabrizio Polacco <fpolacco@megabaud.fi> writes:

> Are these "vulnerable programs" ?  Please, tell me why.

Probably not.  I was one of the testers of mandb during its
development; the author was very careful to design the program to be
secure.  Since it is setuid man, only the man page cache can be
compromised if something goes wrong.

Dan

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to:

Follow-Ups:
- Re: Security hole in setuid packages
  - From: "Bernd Eckenfels" <mail.inka.de!lina!lina.inka.de!lists>

References:
- Re: Security hole in dosemu package
  - From: Christoph Lameter <clameter@waterf.org>
- Re: Security hole in dosemu package
  - From: Daniel Quinlan <quinlan@proton.pathname.com>
- Re: Security hole in setuid packages
  - From: Fabrizio Polacco <fpolacco@megabaud.fi>

Prev by Date: Bug#5382: Bug in metamail Version: 2.7-13
Next by Date: Re: System.map thoughts...
Previous by thread: Re: Security hole in setuid packages
Next by thread: Re: Security hole in setuid packages
Index(es):
- Date
- Thread