Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 27 Jul 2015 08:21:57 -0700
From: Jeff Collins <jeffcollins@...lforce.net>
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246
 libuser

In case you missed it, this discussion continued here:

https://www.reddit.com/r/netsec/comments/3ed4fu/cve20153245_and_cve20153245_local_exploit_that/

and here:

https://news.ycombinator.com/item?id=9945107

Some interesting points were made, and maybe this is a good wake-up
call: it's 2015, and not one, but two 1995-style bugs were discovered in
the default install of a widespread operating system. '\n' injection in
/etc/passwd, really? Something's not quite right here. Modern multi-user
operating systems should be secure by default, like Owl and OpenBSD.

On Sat, 25 Jul 2015, Leif Nixon wrote:
> Anyway, the reason that this *really* makes me angry is that I have
> spent a long time on the defensive side, trying to keep the kids from
> messing too much with kind-of-important scientific systems.

If you're the administrator of important systems like these, and you're
worried about getting rooted by some userland exploit like this, sorry
but you're doing it wrong. Either you secure the default install of your
operating system (and remove the suid bits from binaries like
userhelper), or you install an operating system that's secure by default
(like Owl and its tcb). But it's not 1995 anymore.

-- 
  Jeff Collins
  jeffcollins@...lforce.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.