Re: [SECURITY] [DSA 076-1] New most packages available

To: Micah Anderson <micah@riseup.net>
Cc: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 076-1] New most packages available
From: Andres Salomon <dilinger@mp3revolution.net>
Date: Tue, 18 Sep 2001 19:39:10 -0400
Message-id: <[🔎] 20010918193910.A20593@mp3revolution.net>
In-reply-to: <[🔎] 20010918162404.O5718@riseup.net>
References: <20010918163640.K22176@finlandia.infodrom.north.de> <20010918155425.A18855@mp3revolution.net> <udlk7ywtdq0.fsf@multics.mit.edu> <[🔎] 20010918172241.A19470@mp3revolution.net> <[🔎] 20010918162404.O5718@riseup.net>

My point is, it's not a daemon, it's not associated w/ any type of network
service, it's not associated w/ any clients that regularly receive untrusted
data from outside sources, and it's not even used by default on most
people's boxes (less, if installed, will be used instead of most by default).

If you're going to associate a vulnerability in something like most as
being remotely exploitable, at least explain it a bit.  I have most
installed (and less removed) on a few of my boxes; the DSA had me
wondering what else (aside from man) might be using most by
default.


On Tue, Sep 18, 2001 at 04:24:05PM -0700, Micah Anderson wrote:
> 
> Not all mutt users use vi, as a pager I use most, as an editor I use
> jed. These things can be configured.
> 
> 
> On Tue, 18 Sep 2001, Andres Salomon wrote:
> 
> > Aside from the fact that it's a pretty big IF; I'm not aware of too many
> > mail clients that use pagers.  mutt uses vi, pine uses pico, X based MUAs
> > certainly don't use most.. perhaps mail(x) or something similar use
> > it, but that's not all too common.  Certainly not enough, IMO, to classify
> > this as a remote exploit.
> > 
> > 
> > On Tue, Sep 18, 2001 at 05:01:59PM -0400, Aaron M. Ucko wrote:
> > > 
> > > Andres Salomon <dilinger@mp3revolution.net> writes:
> > > 
> > > > How is this a remote exploit?  
> > > 
> > > If I know somebody uses most as a pager for mail, I can send him or
> > > her a specially-formatted message which will do various nasty things
> > > to his or her account.
> > > 
> > > -- 
> > > Aaron M. Ucko, KB1CJC <amu@mit.edu> (finger amu@monk.mit.edu)
> > > 
> > > 
> > 
> > -- 
> > "Any OS is only as good as its admin, and you obviously suck."
> > 	-- Ian Gulliver, http://orbz.org/mail/mansunix.txt
> > 
> > 
> > -- 
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 

-- 
"Any OS is only as good as its admin, and you obviously suck."
	-- Ian Gulliver, http://orbz.org/mail/mansunix.txt

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 076-1] New most packages available
  - From: Vineet Kumar <debian-security@virtual.doorstop.net>

References:
- Re: [SECURITY] [DSA 076-1] New most packages available
  - From: Andres Salomon <dilinger@mp3revolution.net>
- Re: [SECURITY] [DSA 076-1] New most packages available
  - From: Micah Anderson <micah@riseup.net>

Prev by Date: Re: [SECURITY] [DSA 076-1] New most packages available
Next by Date: Re: New IIS worm
Previous by thread: Re: [SECURITY] [DSA 076-1] New most packages available
Next by thread: Re: [SECURITY] [DSA 076-1] New most packages available
Index(es):
- Date
- Thread