[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Thu, 11 Nov 2004 20:58:26 +0300
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: iSEC advisory about binfmt_elf
On Thu, Nov 11, 2004 at 06:22:18PM +0100, Andreas Ericsson wrote:
> Ilya Andreiv wrote:
> >Is 2.4.27-ow1 kernel affected?
>
> Yes, but the setuid binaries on the system are far fewer than those of
> most other distributions
Yes, this does reduce the impact. Especially if you ensure there're
no SUID root binaries; on a default install of Owl (with tcb), it's
sufficient to do:
control ping wheelonly
control traceroute wheelonly
There're no other publicly-accessible SUID-roots by default.
(And we're planning to deal with at least traceroute before the next
release such that it won't require SUID root anymore.)
> and none of them exec() other programs
I do not see how that is relevant.
> so impact is greatly reduced. The Linux kernel team (Linus Torvalds et al,
> not the Owl patchers) were the ones that disclosed the vulnerability,
This is not entirely true. Paul had to set the public disclosure date
himself.
> so 2.4.28 should be out fairly soon to fix this problem.
Fairly soon, yes, but maybe not very soon. There're more fixes Marcelo
will want to include.
--
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ