Date: Mon, 27 Jul 2015 08:21:57 -0700 From: Jeff Collins <jeffcollins@...lforce.net> To: oss-security@...ts.openwall.com Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser In case you missed it, this discussion continued here: https://www.reddit.com/r/netsec/comments/3ed4fu/cve20153245_and_cve20153245_local_exploit_that/ and here: https://news.ycombinator.com/item?id=9945107 Some interesting points were made, and maybe this is a good wake-up call: it's 2015, and not one, but two 1995-style bugs were discovered in the default install of a widespread operating system. '\n' injection in /etc/passwd, really? Something's not quite right here. Modern multi-user operating systems should be secure by default, like Owl and OpenBSD. On Sat, 25 Jul 2015, Leif Nixon wrote: > Anyway, the reason that this *really* makes me angry is that I have > spent a long time on the defensive side, trying to keep the kids from > messing too much with kind-of-important scientific systems. If you're the administrator of important systems like these, and you're worried about getting rooted by some userland exploit like this, sorry but you're doing it wrong. Either you secure the default install of your operating system (and remove the suid bits from binaries like userhelper), or you install an operating system that's secure by default (like Owl and its tcb). But it's not 1995 anymore. -- Jeff Collins jeffcollins@...lforce.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ