Re: Advisory: mgetty local compromise

[Stan Bubrouski <satan () FASTDIAL NET>]

At 04:56 PM 8/26/00 +0200, Gert Doering wrote:

> > See I had actually reported this to bugtraq over two months ago,
>
> You haven't.

Yes I did.

> You have reported this to RedHat's "bugzilla" database, which is something
> completely different.

Yeah I reported it there too, but I did also post it to Bugtraq.

> Checking the bugtraq archives, there are exactly two articles containing
> the word "faxrunq".  Both are written by me, in July 1997 - seems that
> your article from today is not yet indexed.  Other articles from July this
> year are certainly visible.

Here's my post
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=20000622064042.29536.qmail () 
securityfocus com

I got back from a trip today and found it by actually looking in the bugraq
archives.
Not too difficult, took me no time to find it.  Wow, guess I was telling
the truth.  You're
right though, the search does not find it.

Here's a quote directly from the original Bugtraq post on June 21.

"The Mgetty-sendfax package has a symlink problem as well.
When faxrunqd is run it creates a file named .last_run
in the world-writable /var/spool/fax/outgoing directory
and wouldn't you know it follows symlinks and gladly
smashes any file you feel like smashing.  More details
can be found at:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11874";

I mentioned it in a thread about Red Hat 6.2 compromises, which is  exactly
why I decided to repost the vulnerability to the list again to make sure it
got proper attention.

> > and only one vendor addressed
> > the problem and they did it covertly so nobody knew.
>
> The "vendor" of mgetty+sendfax is *me*.  You have not notified me, or the
> mgetty mailing list.

Yeah I noticed.  Congratulations.  I was referring to the vendor of a Linux
distribution.  And BTW covertly is the wrong word in the above excerpt,
I should have said without notify users as it is clearer.

> [..]
> > I only made this report to clarify the vulnerability and because it had
> now been
> > fixed.
>
> In that case, please re-read the stuff before you post.  What you did was
> to cause much fuzz, much panic ("what, 1.1.22 vulnerable as well?"), and
> no good.

Rereading didn't help.  I posted it early in the morning, perhaps too early.
And what panic?  I still don't see any linux vendors jumping at the
opportunity to release new packages for their current distros.  Some
"panic." ;-)
I really can't give you any explanation for the inexplicable.

> The fact that there was this bug in 1.1.21 has been clearly reported in the
> mgetty list (and it's in the ChangeLog), and Linux distribution vendors
> usually pick up new releases quite quickly, so they should have fixed versions
> available RSN.

Yeah but most only include them in the next release of their distribution
unless
they feel there is potential for mischief or headaches.

> [..]
> > > Second, I am really annoyed to find this on bugtraq, with false data,
> > > without any prior contact.  The fact that I just released 1.1.22 should
> > > give you enough hint that I am still maintaining mgetty, and sending me a
> > > quick mal "hey, is this bug still open?" would have been in order.
> >
> > Not sure I understand this.  I thought thats what vendors usually want.
> > A report on a vulnerability after a patch or fix is available.
>
> Huh?  Vendors want the report on the vulnerability when you know about a
> problem, to be able to *develop* a fix.
>
> How do you think a vendor can develop a fix if you don't tell 'em?
>
> (Maybe we have different views what a "vendor" is.  For mgetty+sendfax, I
> am, as the main author and coordinator).

I think of vendors as those who distribute the operating system
(commercially comes to mind)
and  people who maintain software as maintainers.  You're right there.  A Linux
vendor fixed it in their distribution, thats what I was talking about.

> > If this is not
> > the case please let me know, I have scathing holes in other software that
> > are not public because they have yet to be fixed.  Get real.
> > I don't get embarressed by a simple typo, do you?
>
> You better should.  Claiming publically that something is vulnerable, even
> giving version numbers, when you really should know that it's fixed should
> be embarassing.   That's much more than a "simple typo".

Yeah seriously, I don't know how I can sleep at night making such a grevious
error.  Had I intended to make it seem as though 1.1.22 was vulnerable
I would have said versions 1.1.22 and previous are vulnerable, I wouldn't have
listed both.  I don''t know why I didn't notice it.  An error it an error
is an error.
You pointed out the error and I thought you made it clear the first time.  Do
you like pouring salt in wounds or something?

-Stan