Bugtraq mailing list archives

Re: Amanda multiple vendor local root compromises

From: oliva () LSD IC UNICAMP BR (Alexandre Oliva)
Date: Tue, 2 Nov 1999 09:41:13 -0200


On Nov  1, 1999, monti <monti () USHOST COM> wrote:

I confirmed a few exploitable buffer overflows in multiple suid's on an
earlier version of amanda on BSDI as well a while back. As I recollect
'runtar' was one of them.


It's probably time to refresh your view :-)

Amanda has undergone a major security auditing before release 2.4.0
final (the latest stable release is 2.4.1p1), in which a couple of
security problems have been fixed, and a lot of security problem-prone
constructs have been reworked to avoid buffer overflows and such.

Anyway, we'd be very interested in being informed (preferably in
advance:-) if any problems remained, or if any new ones have been
introduced.

Thanks for your concern.

--
Alexandre Oliva http://www.ic.unicamp.br/~oliva IC-Unicamp, Bra[sz]il
oliva@{lsd.ic.unicamp.br,guarana.{org,com}} aoliva@{acm,computer}.org
oliva@{gnu.org,kaffe.org,{egcs,sourceware}.cygnus.com,samba.org}
** I may forward mail about projects to mailing lists; please use them

Current thread:

Amanda multiple vendor local root compromises Tellier, Brock (Oct 30)
- Re: Amanda multiple vendor local root compromises Ian Turner (Nov 01)
- Re: Amanda multiple vendor local root compromises Chris Tobkin (Nov 01)
  - Re: Amanda multiple vendor local root compromises Bill Fumerola (Nov 01)
- Re: Amanda multiple vendor local root compromises monti (Nov 01)
- Re: Amanda multiple vendor local root compromises Rob (Nov 01)
- Unqualified Postings edi () GANYMED ORG (Nov 01)
  - Re: Unqualified Postings v0rt (Nov 02)
- <Possible follow-ups>
- Re: Amanda multiple vendor local root compromises Alexandre Oliva (Nov 02)
- Re: Amanda multiple vendor local root compromises Alexandre Oliva (Nov 02)