[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MDKSA-2004:145 - Updated rp-pppoe packages fix vulnerability

To: Mandrake Linux Security Team <security@xxxxxxxxxxxxxxxxxx>
Subject: Re: MDKSA-2004:145 - Updated rp-pppoe packages fix vulnerability
From: "David F. Skoll" <dfs@xxxxxxxxxxxxxxxxxx>
Date: Tue, 7 Dec 2004 23:44:57 -0500 (EST)

On Mon, 7 Dec 2004, Mandrake Linux Security Team wrote:

>  Max Vozeler discovered a vulnerability in pppoe, part of the rp-pppoe
>  package.  When pppoe is running setuid root, an attacker can overwrite
>  any file on the system.

As the author of rp-pppoe, I take exception to this being reported as
a "vulnerability".  pppoe is NOT designed to run setuid-root.  You may
as well claim that a setuid "cat" has a vulnerability that lets it read
arbitrary files.

Any Linux distro that installs pppoe setuid root is just plain dangerous.

--
David.

References:
- MDKSA-2004:145 - Updated rp-pppoe packages fix vulnerability
  - From: Mandrake Linux Security Team

Prev by Date: [SECURITY] [DSA 606-1] New nfs-utils packages fix denial of service
Next by Date: Re: MD5 To Be Considered Harmful Someday
Previous by thread: MDKSA-2004:145 - Updated rp-pppoe packages fix vulnerability
Next by thread: MDKSA-2004:144 - Updated lvm1 packages fix temporary file vulnerability
Index(es):
- Date
- Thread