|
Message-ID: <20041111175826.GB470@openwall.com> Date: Thu, 11 Nov 2004 20:58:26 +0300 From: Solar Designer <solar@...nwall.com> To: owl-users@...ts.openwall.com Subject: Re: iSEC advisory about binfmt_elf On Thu, Nov 11, 2004 at 06:22:18PM +0100, Andreas Ericsson wrote: > Ilya Andreiv wrote: > >Is 2.4.27-ow1 kernel affected? > > Yes, but the setuid binaries on the system are far fewer than those of > most other distributions Yes, this does reduce the impact. Especially if you ensure there're no SUID root binaries; on a default install of Owl (with tcb), it's sufficient to do: control ping wheelonly control traceroute wheelonly There're no other publicly-accessible SUID-roots by default. (And we're planning to deal with at least traceroute before the next release such that it won't require SUID root anymore.) > and none of them exec() other programs I do not see how that is relevant. > so impact is greatly reduced. The Linux kernel team (Linus Torvalds et al, > not the Owl patchers) were the ones that disclosed the vulnerability, This is not entirely true. Paul had to set the public disclosure date himself. > so 2.4.28 should be out fairly soon to fix this problem. Fairly soon, yes, but maybe not very soon. There're more fixes Marcelo will want to include. -- Alexander Peslyak <solar at openwall.com> GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 http://www.openwall.com - bringing security into open computing environments
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.