oss-sec mailing list archives
Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser
From: Jeff Collins <jeffcollins () mailforce net>
Date: Mon, 27 Jul 2015 08:21:57 -0700
In case you missed it, this discussion continued here: https://www.reddit.com/r/netsec/comments/3ed4fu/cve20153245_and_cve20153245_local_exploit_that/ and here: https://news.ycombinator.com/item?id=9945107 Some interesting points were made, and maybe this is a good wake-up call: it's 2015, and not one, but two 1995-style bugs were discovered in the default install of a widespread operating system. '\n' injection in /etc/passwd, really? Something's not quite right here. Modern multi-user operating systems should be secure by default, like Owl and OpenBSD. On Sat, 25 Jul 2015, Leif Nixon wrote:
Anyway, the reason that this *really* makes me angry is that I have spent a long time on the defensive side, trying to keep the kids from messing too much with kind-of-important scientific systems.
If you're the administrator of important systems like these, and you're worried about getting rooted by some userland exploit like this, sorry but you're doing it wrong. Either you secure the default install of your operating system (and remove the suid bits from binaries like userhelper), or you install an operating system that's secure by default (like Owl and its tcb). But it's not 1995 anymore. -- Jeff Collins jeffcollins () mailforce net
Current thread:
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser, (continued)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser mancha (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brandon Perry (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser mancha (Jul 27)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Ankeet Presswala (Jul 27)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser mancha (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser z80 (Jul 29)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Solar Designer (Jul 29)