Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1438010517.1630882.334263889.1FE7ED60@webmail.messagingengine.com>
Date: Mon, 27 Jul 2015 08:21:57 -0700
From: Jeff Collins <jeffcollins@...lforce.net>
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246
 libuser

In case you missed it, this discussion continued here:

https://www.reddit.com/r/netsec/comments/3ed4fu/cve20153245_and_cve20153245_local_exploit_that/

and here:

https://news.ycombinator.com/item?id=9945107

Some interesting points were made, and maybe this is a good wake-up
call: it's 2015, and not one, but two 1995-style bugs were discovered in
the default install of a widespread operating system. '\n' injection in
/etc/passwd, really? Something's not quite right here. Modern multi-user
operating systems should be secure by default, like Owl and OpenBSD.

On Sat, 25 Jul 2015, Leif Nixon wrote:
> Anyway, the reason that this *really* makes me angry is that I have
> spent a long time on the defensive side, trying to keep the kids from
> messing too much with kind-of-important scientific systems.

If you're the administrator of important systems like these, and you're
worried about getting rooted by some userland exploit like this, sorry
but you're doing it wrong. Either you secure the default install of your
operating system (and remove the suid bits from binaries like
userhelper), or you install an operating system that's secure by default
(like Owl and its tcb). But it's not 1995 anymore.

-- 
  Jeff Collins
  jeffcollins@...lforce.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.