[supinfo at caldera.com: Security Update [CSSA-2001-032.0] Linux - sendmail instant root exploit]

J. Jones jjones at darkside.dynup.net
Sat Aug 25 09:36:06 PDT 2001

On Sat, Aug 25, 2001 at 12:27:10PM +0200, Thomas -Balu- Walter spat:
> Actually this is the final reason for me to switch to qmail...
> I was kinda satisfied with sendmail over the last years, since no bugs
> were found - now I am proved wrong...
> Thank god I am playing with qmail for some weeks now.
> http://www.securityfocus.com/templates/article.html?id=244
>      Ba-:(-lu
> 1. Problem Description
>    Sendmail contains an input validation error, so local users may be
>    able to write arbitrary data to process memory, possibly allowing the
>    execution of code/commands with elevated privileges. This allows
>    a local attacker to gain access to the root account.

Have you tried the exploit(s)? They aren't working here.  Oh, and BTW,
SuSE's announcements are better than Caldera's.  :)

I realize this is an actual bug, but it seems alot of hypotheticalness
(is that a word?) is involved with alot of these "security" issues,
sorta like the mktemp/tempnam stuff.



Unsubscribe: send email to lfs-security-request at linuxfromscratch.org
and put unsubscribe in the subject header of the message

More information about the lfs-security mailing list