The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #200 [Re: yet another ftpd hole (on Suns)] (1 message, 1125 bytes)
NOTICE: recognises the rights of all third-party works.


From: Pete Cottrell <>
To: phage
Date: Wed 13:10:33 09/11/1988 EST
Subject: Re: yet another ftpd hole (on Suns)
References: [Thread Prev: 197] [Thread Next: 210] [Message Prev: 198] [Message Next: 201]

	Subject: Re: yet another ftpd hole (on Suns)
	From: Edward Vielmetti <>

	Pete, could you pass along the detailing instructions for exploiting
	this hole to someone on this campus ?  There are a number of Suns
	on this campus, and I need to be able to verify that they have
	the problem you mentioned and show it to the "responsible people"
	right before their very eyes before they are willing to fix things.

I can understand the reluctance to blindly install fixes; in fact, I have
already been flamed in private mail for being 'arrogant', presumably for
not saying what the exact bug is. At the same time, I think most people
would recognize my concern at blindly announcing on what has been acknowledged
to be a non-secure mailing list yet another way to compromise a machine. I
based my posting on what Berkeley had done, where the anonymous ftp bug
patch was given out without telling exactly how to exercise the hole.
	Now, I certainly realize that people are more likely to accept a
patch from Keith Bostic than from myself, so I pose the question: how do we
trust the fixes? In this case, what might work is for a few other sites
to check to see if they have the bug and if the fix works, then they can
announce it if they desire.
	Just to give some background: someone at another site told me about
the hole. I tried it on our machines and it was there. I made my fix and
the behavior became consistent with the Berkeley behavior. The line of code
I added is in the Berkeley version. I believe it fixes the problem, but if
someone finds otherwise, then I apologize and asked to be notified. The hole
exists in 3.0, 3.2 (on our machines) and according to the person at the
other site, is in 3.4.
	I will give you a call.