Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 11 Nov 2004 20:58:26 +0300
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: iSEC advisory about binfmt_elf

On Thu, Nov 11, 2004 at 06:22:18PM +0100, Andreas Ericsson wrote:
> Ilya Andreiv wrote:
> >Is 2.4.27-ow1 kernel affected?
> 
> Yes, but the setuid binaries on the system are far fewer than those of 
> most other distributions

Yes, this does reduce the impact.  Especially if you ensure there're
no SUID root binaries; on a default install of Owl (with tcb), it's
sufficient to do:

	control ping wheelonly
	control traceroute wheelonly

There're no other publicly-accessible SUID-roots by default.

(And we're planning to deal with at least traceroute before the next
release such that it won't require SUID root anymore.)

> and none of them exec() other programs

I do not see how that is relevant.

> so impact is greatly reduced. The Linux kernel team (Linus Torvalds et al, 
> not the Owl patchers) were the ones that disclosed the vulnerability,

This is not entirely true.  Paul had to set the public disclosure date
himself.

> so 2.4.28 should be out fairly soon to fix this problem.

Fairly soon, yes, but maybe not very soon.  There're more fixes Marcelo
will want to include.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.