[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 557-1] New rp-pppoe packages fix potential root compromise

On Mon, 2004-10-11 at 21:13 +0200, Nils Rennebarth wrote:
> Martin Schulze wrote:
> > Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
> > driver from Roaring Penguin.  When the program is running setuid root
> > (which is not the case in a default Debian installation), an attacker
> > could overwrite any file on the file system.
> > 
> > For the stable distribution (woody) this problem has been fixed in
> > version 3.3-1.2.
> > 
> > For the unstable distribution (sid) this problem has been fixed in
> > version 3.5-4.
> Is there an estimation when the 3.5-4 Version for unstable will hit the 
> archive?

Okay, don't run it as setuid root. Nothing I can find on bugs.d.o or
packages.d.o or alioth even begins to show 3.5-4 as existing yet.

But, unless you run rp-pppoe/pppoe as setuid root... you should be fine.
Minimizing ghe damage has already been done in the way it is setup by
default in Debian.

greg, greg@gregfolkert.net

The technology that is
Stronger, better, faster: Linux

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: