[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: mtr-0.41 root exploit
From:       Kris Kennaway <kris () FREEBSD ! ORG>
Date:       2000-04-26 5:57:16
[Download RAW message or body]

On Tue, 25 Apr 2000, Rogier Wolff wrote:

> I would've appreciated the lesser "scare" when an accompanying note
> would've said that the bug was already fixed.

I would have appreciated too if the poster had acknowleged that FreeBSD
already upgraded to the new version a month and a half ago, and released a
security advisory about it. I think it's fairly bad form to release an
"exploit for Operating System X" without mentioning that it actually
refers to an old version which has since been fixed, since it makes that
particular OS look bad when in fact they've done everything right.

Having said the above, there *is* still a security issue remaining in mtr
on FreeBSD 3.4-STABLE and earlier due to the libmytinfo overflow: mtr will
overflow after dropping privileges so it won't yield root, but it leaks
the raw network sockets it opens beforehand which can be used by the
attacker.

I'm about to commit a fix for libmytinfo, but I'd like to repeat my
request to the bugtraq audience that you give vendors at least a few days
prior notice before publishing to the world (more, if they respond and
appear to be trying to address it). I like to think FreeBSD reacts quickly
to security issues, but Mr. Frasunek has put even the most
vigilantly-maintained FreeBSD systems at risk for the past 36 hours or so
because we had to scramble to address the problem *after* it was released
to the world.

I know that some commercial outfits don't respond to security reports in
the way we'd like them to, but open source projects like FreeBSD tend to
be a lot better. Give us a chance :-)

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>

[prev in list] [next in list] [prev in thread] [next in thread]