Bugtraq mailing list archives
Re: MDKSA-2004:145 - Updated rp-pppoe packages fix vulnerability
From: "David F. Skoll" <dfs () roaringpenguin com>
Date: Tue, 7 Dec 2004 23:44:57 -0500 (EST)
On Mon, 7 Dec 2004, Mandrake Linux Security Team wrote:
Max Vozeler discovered a vulnerability in pppoe, part of the rp-pppoe package. When pppoe is running setuid root, an attacker can overwrite any file on the system.
As the author of rp-pppoe, I take exception to this being reported as a "vulnerability". pppoe is NOT designed to run setuid-root. You may as well claim that a setuid "cat" has a vulnerability that lets it read arbitrary files. Any Linux distro that installs pppoe setuid root is just plain dangerous. -- David.
Current thread:
- MDKSA-2004:145 - Updated rp-pppoe packages fix vulnerability Mandrake Linux Security Team (Dec 07)
- Re: MDKSA-2004:145 - Updated rp-pppoe packages fix vulnerability David F. Skoll (Dec 08)