oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser

From: Jeff Collins <jeffcollins () mailforce net>
Date: Mon, 27 Jul 2015 08:21:57 -0700
In case you missed it, this discussion continued here:

https://www.reddit.com/r/netsec/comments/3ed4fu/cve20153245_and_cve20153245_local_exploit_that/

and here:

https://news.ycombinator.com/item?id=9945107

Some interesting points were made, and maybe this is a good wake-up
call: it's 2015, and not one, but two 1995-style bugs were discovered in
the default install of a widespread operating system. '\n' injection in
/etc/passwd, really? Something's not quite right here. Modern multi-user
operating systems should be secure by default, like Owl and OpenBSD.

On Sat, 25 Jul 2015, Leif Nixon wrote:

Anyway, the reason that this *really* makes me angry is that I have
spent a long time on the defensive side, trying to keep the kids from
messing too much with kind-of-important scientific systems.


If you're the administrator of important systems like these, and you're
worried about getting rooted by some userland exploit like this, sorry
but you're doing it wrong. Either you secure the default install of your
operating system (and remove the suid bits from binaries like
userhelper), or you install an operating system that's secure by default
(like Owl and its tcb). But it's not 1995 anymore.

-- 
  Jeff Collins
  jeffcollins () mailforce net
Previous By Date Next
Previous By Thread Next

Current thread: