Re: [Global InterSec 2001121001] glibc globbing issues.

[Solar Designer <solar () openwall com>]

On Mon, Dec 17, 2001 at 07:06:30PM -0800, Tom Parker wrote:
> Vendor Solutions:
>
>  Red Hat have released the following series of packages which
>  fix the glibc issues. Other vendors are yet to release official
>  packages due to a lack of preparation time.

This isn't exactly the case.  The only lack of time was to make sure
"your" vulnerability is the same as the one vendors were already
working on fixing.  Yes, this could have been avoided if one vendor
(and it's not Red Hat) propagated your report to others.

This also explains why update announcements started falling in here
almost immediately after Red Hat's.

We (Openwall GNU/*/Linux) had this fixed for both Owl-current and Owl
0.1-stable on 2001/12/14.  I'd like to use this opportunity to remind
Bugtraq readers that currently we don't "spam" the list with security
update announcements.  Instead, there're the system-wide change logs
where any security fixes are marked specially, --

        http://www.openwall.com/Owl/CHANGES.shtml
        http://www.openwall.com/Owl/CHANGES-stable.shtml

Only really critical security fixes will also be announced to Bugtraq.

So far, during the 7 months since Owl went public, there have been no
privilege escalation holes (both remote and local) which could be
exploited in an active attack(*) and affected the default install(**).

(*) Of course, root may run gnupg with the format string vulnerability
on untrusted input and there's the problem.  Yes, there were "passive"
vulnerabilities like that fixed during this time, -- all documented as
such in the change logs above.

(**) There were a few affecting non-default but supported installs of
Owl, with no third-party software installed.  The exhaustive list is:
Linux 2.2.19 kernel bugs (if newgrp(1) is enabled), xinetd (if ident
lookups are enabled), OpenSSH (authorized_keys2 "from=", UseLogin).
All of these have been on Bugtraq.

-- 
/sd