Re: mgetty vulnerable
On Fri, 2 May 2003, Wolfgang Sourdeau wrote:
> I am not subscribed to debian-security, so please include me in your Cc:
> for this discussion.
>
Likewise.
> I have noticed a "fax" user was expected in mgetty-1.1.30 (never played
> with 1.1.29). The problem I have with that is that this user is required at
> build time (during the make install phase). Another problem is that
> Debian does not have such a user, although one used to exist temporarily
> for hylafax a couple of years ago. Now, hylafax is using uucp, so is
> pppd and every communication server package I know of in Debian.
>
> The problem here seems to be that mgetty's sendfax was running under
> used root. Now, if we use uucp (which I have modified mgetty 1.1.30 for
> last week), I don't see where the problem is. I don't see the point in
> requesting the creation of a user for one little program nor do I judge
> this compromise (using uucp) as a security issue.
>
> Please correct me if I am wrong though.
>
http://www.securityfocus.com/bid/7302 lists some more information. I don't
think Debian has this vulnerability either, but I haven't checked.
Under Credits you can find a Gentoo and Redhat advisory.
Are there any group or world readable directory issues as is suggested to
me? I'm talking about for durring installation *and* in normal use.
> ps: now it seems Debian mgetty's sendfax is broken since 1.1.30, but
> this is another issue which will be fixed before next week.
>
Off topic, but related...
I've been having trouble with mgetty and vgetty for years now. I had it
almost working they way I wanted, but then it answered the phone and
wouldn't hang up... after that vgetty or mgetty couldn't answer the
phone, even after reboot... but I haven't looked into this for a long time
now and that box might have fs problems now.
Drew Daniels
Reply to: