Bugtraq mailing list archives
Re: Solaris libc locale format string exploit
From: "van der Kooij, Hugo" <Hugo.van.der.Kooij () CAIW NL>
Date: Fri, 20 Oct 2000 20:35:49 +0200
On Fri, 20 Oct 2000, Atro Tossavainen wrote:
On Sep 8, 2000 Warning3 posted an exploit for the Solaris libc locale format string vulnerability. This was more than a month ago. This bug has not been fixed yet. The Securityfocus vulnerability database shows no patches for the locale bug on Solaris. Sun's website does not even mention the existance of this bug.My local Sun rep told me on Oct 3 that they have fixes ready for all supported software releases and platforms and that evaluation patches would be sent to customers in a few days. Obviously not. I asked him again yesterday, with the response that the kernel update process for all supported software releases and platforms is rather tedious and lengthy, and that's why it's taking so long.
Couldn't they adopt a two-way strategy? As soon as a fix is available and gone through basic testing then make it available on request with a great disclaimer about the levelof test performed. Then when the whole circus has had their say and all QA steps are taken revoke the tempfix and make the normal fix available. So people have the choice between a certain problem which isn't fixed yet or a fix that is possibly buggy. An extremely long QA process does not hold well with modern day security requirements. In my view this problem is a serious weakness with SUN. Hugo. -- Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland hvdkooij () caiw nl http://home.kabelfoon.nl/~hvdkooij/ -------------------------------------------------------------- Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)
Current thread:
- Solaris libc locale format string exploit Solar, Eclipse (Oct 19)
- Re: Solaris libc locale format string exploit Atro Tossavainen (Oct 20)
- Re: Solaris libc locale format string exploit Jefferson Ogata (Oct 20)
- Re: Solaris libc locale format string exploit van der Kooij, Hugo (Oct 20)
- Re: Solaris libc locale format string exploit Atro Tossavainen (Oct 20)