[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: MDKSA-2004:145 - Updated rp-pppoe packages fix vulnerability
From:       "David F. Skoll" <dfs () roaringpenguin ! com>
Date:       2004-12-08 4:44:57
Message-ID: Pine.LNX.4.58.0412072343360.7244 () shishi ! roaringpenguin ! com
[Download RAW message or body]

On Mon, 7 Dec 2004, Mandrake Linux Security Team wrote:

>  Max Vozeler discovered a vulnerability in pppoe, part of the rp-pppoe
>  package.  When pppoe is running setuid root, an attacker can overwrite
>  any file on the system.

As the author of rp-pppoe, I take exception to this being reported as
a "vulnerability".  pppoe is NOT designed to run setuid-root.  You may
as well claim that a setuid "cat" has a vulnerability that lets it read
arbitrary files.

Any Linux distro that installs pppoe setuid root is just plain dangerous.

--
David.
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic