dip3.7.7p overflow still not patched on SuSE 7.0 ?

[sebi hegi <hegenbart () aon at>]

Hi!
After doing a suid check on my SuSE linux 7.0 x86 i found something
interesting:

hegi@faust:~ > ls -la /usr/sbin/dip
-rwsr-xr--   1 root     dialout     62056 Jul 29  2000 /usr/sbin/dip

DIP: Dialup IP Protocol Driver version 3.3.7p-uri (25 Dec 96)
Written by Fred N. van Kempen, MicroWalt Corporation.

I considered this as a sort of old version and did some searching and found
something on insecure.org. 

Description: Standard overflow (in the -l option processing).
Author:  Goran Gajic <ggajic () AFRODITA RCUB BG AC YU>
Compromise: root (local)
Vulnerable Systems: Slackware Linux 3.4, presumably any other system using dip-3.3.7o or earlier suid root.
Date: 5 May 1998

Referring to a bugtraq post from may 5. 1998 I did this:

hegi@faust:~ > /usr/sbin/dip -k -l `perl -e 'print "a" x 20000'`
DIP: Dialup IP Protocol Driver version 3.3.7p-uri (25 Dec 96)
Written by Fred N. van Kempen, MicroWalt Corporation.

DIP: cannot open 
/var/lock/LCK..aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:
 Datei oder Verzeichnis nicht gefunden
Speicherzugriffsfehler

Looks like this version is still vulnerable. Although it´s not world executable
it´s a security risk. And I´m wondering why SuSE just didn´t bother with
providing a patched version in on of their new distributions. SuSE 7.0
wasn´t released in 1998. 

Have a nice day. 
Sebastian Hegenbart