Date: Sat, 6 Mar 1999 15:23:23 +0100 From: Marc Heuse <marc@SUSE.DE> Subject: Re: Linux /usr/bin/gnuplot overflow To: BUGTRAQ@NETSPACE.ORG Hi, I apology that SuSE isn't currently fast with it's security fixes :-( We've got a heavy work load currently, suse 6.1 is being build, cebit fair is coming, holiday of some important guys, and our 2nd security guy will begin his work in april. additionally we are currently redesigning our security fix process to make it fast and reliable. But we are no magicians :-(( below are responses to several comments people made: > I strongly second this recommendment. I'll mail S.u.S.E. about it, if > no-one else does (but then, they're bound to have someone reading bugtraq, > right?). of course ;-) >Not necessarily. SuSE has still not fixed the lsof buffer overflow either, >even though lsof is setgid kmem and /dev/kmem is group writable (!) >I mailed them earlier this week and got as response that they have a new >lsof which unfortunately would require kernel 2.2. As quick fix they suggested >removing the group write permissions from /dev/kmem.... right, this is our current problem. However, this not a solution because an attacker can still read from kmem (sniff passwords etc.). our paket maintainer in also on holiday that adds to our current trouble, not to mention we are currently under heavy activity to release SuSE 6.1. However I'll try to make a fix available for lsof monday->wednesday. >If you use SuSE and you care a _lot_ about local security you must edit >/etc/rc.config and set PERMISSION_SECURITY="paranoid". That way gnuplot >would _not_ be suidroot. See the contents of /etc/permissions.paranoid: > [...] Well, maybe this is the point to talk about seom stuff we are currently developing: 1) an (inofficial) SuSE harding script which reconfigures your system after answering nine questions 2) OpenBSD like /etc/security checks which run on a regular basis 3) two mailing lists: suse-security@suse.com for public discussions and our announcements suse-security-announce@suse.com only for your announcements note that you can already subscribe to suse-security, suse-security-announce will be set up this week. Both lists will be activated mid march, please be patient, we've got a very heavy load currently :-( 4) automatic announcements ;-) this is currently under development. I'll email betas of 1) and 2) on our public security mailinglist so people can comment and discuss about enhancements. >I just tried once to fix the disinformation on the list about SuSE >xtvscreen suidroot but Aleph One didn't accepted my email. I don't know >why Aleph One didn't accepted my first email. Aleph? xtvscreen is fixed, updated to the newest version and we did put some more security checks in. it should be available monday->wednesday on our ftp servers >OTOH, no-one with any kind of security concern on their mind would install >SVGAlib, in its current state, would they? well, I think even a home-end-user might be interesting in a security fix ;-) Greets, Marc -- Marc Heuse, S.u.S.E. GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Support & Auditing issue a "finger marc@suse.de | pgp -fka" for my public pgp key