Bugtraq mailing list archives

Re: Fwd: Any user can panic OpenBSD machine

From: david () WWW FUNDY CA (David Maxwell)
Date: Tue, 28 Jul 1998 09:45:06 -0300


On Mon, Jul 27, 1998 at 09:25:39PM -0400, Angelos D. Keromytis wrote:


In message <19980727180938.41315 () dimensional com>, Michael Fuhr writes:


disclosure, isn't it?  I for one was appalled at the simplicity of the
exploit in what's claimed to be one of the most secure operating
systems around, especially since it doesn't appear to be a problem
with the other BSDs.


While I'll agree that this is a very lame bug (in the sense that it
shouldn't exist), one can hardly call it an exploit. It causes a
machine to crash, but we already know how to do that in 32 different
ways (and just as easy -- they don't even require a compiled program)
once you can login (and for some OSes, even without logging in :-)

I don't know why the person who complained did so, but I think he was
unjustified. You were right to point that this is a full disclosure
list.
- -Angelos

PS. The bug was fixed about 1 hour ago.


Sigh. Yes, this is a full disclosure list, but without starting the whole
discussion again - it has been mentioned before that one ought to give a
vendor a reasonable opportunity to respond to any issues before posting them
here. People have given companies like Microsoft (whom I'm no fan of) a week
to respond to more serious issues than this, as long as the vendor is being
responsive and responsible. The OpenBSD PR was ticketed about 24 hours before
your reply stating that it had been fixed - would 24 hours have been an
unreasonable delay - considering that OpenBSD's group was aware of the problem
(hence the PR), considered it 'serious', 'high'-priority, and 'critical', and
marked it as confidential 'yes'? To the earlier response regarding the fact
that this was posted to an OpenBSD list I say this: I doubt that many hackers
monitor the OpenBSD lists in hopes of picking up bugs, while I'm sure many
do monitor Bugtraq. All public forums are not equivalent - I do not feel
distribution in one automatically merits distribution in any other without
consideration.

                                                        David Maxwell

BTW: I don't even run an OpenBSD box, this just felt like a bit of hit-and-run
to me.

Current thread:

Re: Fwd: Any user can panic OpenBSD machine, (continued)
- - - Re: Fwd: Any user can panic OpenBSD machine Angelos D. Keromytis (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Alfred Huger (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Perry E. Metzger (Jul 28)
    - CERT Vendor-Initiated Bulletin VB-98.07 - OpenVMS.LOGINOUT (fwd) Phillip R. Jaenke (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Timothy J Luoma (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine David Maxwell (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Kragen (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Cy Schubert (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Peter W (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Kragen (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Michael Jennings (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Michael Jennings (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Theo de Raadt (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Michael Jennings (Jul 28)

(Thread continues...)