[supinfo at caldera.com: Security Update [CSSA-2001-032.0] Linux - sendmail instant root exploit]

J. Jones jjones at darkside.dynup.net
Sat Aug 25 09:36:06 PDT 2001


On Sat, Aug 25, 2001 at 12:27:10PM +0200, Thomas -Balu- Walter spat:
> Actually this is the final reason for me to switch to qmail...
> 
> I was kinda satisfied with sendmail over the last years, since no bugs
> were found - now I am proved wrong...
> 
> Thank god I am playing with qmail for some weeks now.
> 
> http://www.securityfocus.com/templates/article.html?id=244
> 
>      Ba-:(-lu
> 
> 1. Problem Description
> 
>    Sendmail contains an input validation error, so local users may be
>    able to write arbitrary data to process memory, possibly allowing the
>    execution of code/commands with elevated privileges. This allows
>    a local attacker to gain access to the root account.
> 
>

Have you tried the exploit(s)? They aren't working here.  Oh, and BTW,
SuSE's announcements are better than Caldera's.  :)

I realize this is an actual bug, but it seems alot of hypotheticalness
(is that a word?) is involved with alot of these "security" issues,
sorta like the mktemp/tempnam stuff.

http://lists2.suse.com/archive/suse-security-announce/2001-Aug/0003.html

mc-not-scared-of-sendmail-a

-- 
Unsubscribe: send email to lfs-security-request at linuxfromscratch.org
and put unsubscribe in the subject header of the message



More information about the lfs-security mailing list