Bug#158637: [dendler@idefense.com: iDEFENSE Security Advisory: Linuxconf locally exploitable buffer overflow]

To: Michael Banck <mbanck@gmx.net>
Cc: 158637@bugs.debian.org, control@bugs.debian.org
Subject: Bug#158637: [dendler@idefense.com: iDEFENSE Security Advisory: Linuxconf locally exploitable buffer overflow]
From: Colin Watson <cjwatson@debian.org>
Date: Fri, 22 Nov 2002 19:35:10 +0000
Message-id: <[🔎] 20021122193510.GA31667@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 158637@bugs.debian.org
In-reply-to: <20020921123855.GA32575@blackbird.oase.mhn.de>
References: <20020921123855.GA32575@blackbird.oase.mhn.de>

severity 158637 important
thanks

On Sat, Sep 21, 2002 at 02:38:55PM +0200, Michael Banck wrote:
> tags 158637 + patch
> thanks
> 
> As I stated, debian's linuxconf package should not be vulnerable, as it
> is not installed setuid root.
> 
> Nevertheless, I've backported the patch from the latest upstream
> version, which makes the exploit[1] fail even if you happen to set
> linuxconf setuid root.

Would you mind uploading this? linuxconf is orphaned, and nobody has yet
offered to maintain it.

Since, as you say, we don't install linuxconf setuid root, I've
downgraded the bug in the meantime.

Thanks,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to:

Follow-Ups:
- Processed: Re: [dendler@idefense.com: iDEFENSE Security Advisory: Linuxconf locally exploitable buffer overflow]
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#165294: marked as done (FTBFS: Build failure of langdrill on i386)
Next by Date: blt override disparity
Previous by thread: Bug#165294: marked as done (FTBFS: Build failure of langdrill on i386)
Next by thread: Processed: Re: [dendler@idefense.com: iDEFENSE Security Advisory: Linuxconf locally exploitable buffer overflow]
Index(es):
- Date
- Thread