rra at stanford.edu
Fri Mar 23 11:36:24 UTC 2001
Enrique A Sanchez Montellano <enrique.sanchez at defcom.com> writes:
> Russ Allbery wrote:
>> Then those systems are broken and I strongly encourage you to report a
>> bug against the packagers of INN for those systems. INN itself never
>> installs startinnfeed that way, and doing so does indeed open a large
>> security hole. (You don't even need buffer overflows in innfeed to
>> exploit that security hole; it's trivial to get startinnfeed to execute
>> any program you want.)
> Point taken, now in my mind I'm just thinking how you would do that but
> that is something I'll try to find out on my own. Heh
Take a look at inndstart in a current verison of INN (2.3.1); I document
exactly how the security model works.
>> startinnfeed must only be executable by members of the news group.
> Ok, I shall try to see if I can manage to get root (I'm pretty shure I
> won't but at least I'll die trying ;-P...), in case I do or don't would
> you mind me making a patch for it and sending it to you?
I'd gladly welcome a patch for that buffer overflow regardless of whether
it's exploitable or not. *grin* Thank you!
> then releasing an advisory?
Sure. I think that if Slackware is shipping startinnfeed world-executable
and still setuid root, that deserves an advisory; you may want to give
them a head's-up first, though, if they're doing that.
If you find a security hole in INN, we'll also issue our own advisory, but
I have no objections to you issuing one as well. Our *preference* would
be, if you find a security hole, that you could give us time to patch it
and then a day after that before announcing anything, since that will mean
there's a snapshot available with the fix incorporated for people to
> I know I'm a pain but I want to contribute I like your program, I think
> is great and want to make it more secure and better. I hope you don't
Thanks! I don't mind at all. :)
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the inn-bugs