Re: Solaris 2.3-2.4 Audit Bug

[Mark.Graff () Eng Sun COM ( Mark Graff )]

Dow,

The answer to your question is that we maintain a mail alias,
security-alert () sun com, to receive reports like this; and any
of the Answer Centers world-wide, I believe, would accept such
a report as well.

This sounds like the same bug we are about to release a patch
for. It's our policy to have patches available for all of the
affected platforms, then announce the bug and the patches
together.

I will contact you privately for details, then put a followup
note here within a day or two.

Mark G. Graff
415-688-9151

security-alert () sun com


 From owner-bugtraq () fc net  Sat Feb 11 15:30:11 1995
 Subject: Solaris 2.3-2.4 Audit Bug
 To: bugtraq () fc net
 Date: Sat, 11 Feb 1995 16:55:32 -0600 (CST)
 Precedence: bulk
 
 I'm sorry if this has been discussed before.
 
 There is a major security problem with auditing under solaris 2.3
 and 2.4.  If you run bsmconv to turn on auditing, any user can
 break root very very easily.  I'ld say more but I'ld like to give
 sun at least a little bit of a chance to fix it first.
 
 I have access to the source code for the os and have tracked down
 the one line of bad code.  How can I contact Sun to tell them the
 problem with this line of code?????????????
 
 
 ---
 dowiii () ksu ksu edu
 Dow Summers
 Computing and Network Services
 Kansas State University