Bugtraq mailing list archives

Re: Advisory: mgetty local compromise

From: Gert Doering <gert () GREENIE MUC DE>
Date: Sat, 26 Aug 2000 12:09:51 +0200

Hi,

sorry to followup on myself, but...:

On Sat, Aug 26, 2000 at 11:02:09AM +0200, Gert Doering wrote:

Vendor releases might still be vulnerable (shipping old versions), but as
faxrunqd(8) isn't usually run by default, a "standard system" should NOT
be vulnerable.  *If* you run faxrunqd, though, upgrade to 1.1.22 (but
those of you that do, you know who you are...)


... this is crap.  faxrunq(8) had the same bug as faxrunqd(8) here (which
the original "advisory" didn't mention).  It has also been fixed in
1.1.22.

So, let me rephrase this: IF you are using the "sendfax" part of
mgetty+sendfax AND you have possibly-malicious users on your system,
then you should urgently upgrade to 1.1.22 (which should be a matter
of "make; make install").

If all your users are trustworthy, you don't have a problem, as this can't
be remotely exploited.

gert
--
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert () greenie muc de
fax: +49-89-35655025                        gert.doering () physik tu-muenchen de

Current thread:

Advisory: mgetty local compromise Stan Bubrouski (Aug 26)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
  - Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
  - Re: Advisory: mgetty local compromise Stan Bubrouski (Aug 26)
    - Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
    - Re: Advisory: mgetty local compromise Stan Bubrouski (Aug 29)
    - Re: Advisory: mgetty local compromise Mark Stingley (Aug 30)
- Re: Advisory: mgetty local compromise Chris L. Mason (Aug 30)
  - Re: Advisory: mgetty local compromise Cy Schubert - ITSD Open Systems Group (Aug 31)