> > Carson Gaspar wrote: > > > Does anyone know what the pt_chmod hole is? The same suid program exists in > > Solaris 2.x, and knowing Sun's track record... > > By my testing, exactly the same bug exists on Solaris 2.3/SPARC; > however, it does not cause a security hole there. The security hole is > caused by how the SCO execution environment treats NULL dereferences. > The same bug probably exists in the pt_chmod source on most System V > systems; whether it causes a security problem depends on how the OS > treats NULL dereferences. > > Full disclosure has been sent to CERT for dissemination to other OS > vendors. I am not in a position to publically disclose full details at you might have cc'd it to 8lgm, to save us a few hours!!! :-) > this time; I also think that to do so would be rude to other OS vendors > who have not had a chance to issue their own fixes. > > Your pt_chmod is safe if it coredumps when run as `pt_chmod < > /etc/termcap`. If not, it might or might not be safe. Ask your OS > vendor, "trace" or "truss". talking of trace, is sco's trace broken? our copy at least, seems to miss out system calls. eg for pt_chmod, trace never shows chown(2) being called; but if you disassemble it or single step it with adb, you can see that it does actually get called. > > I'm sorry that I can't say more. > > >Bela< > > Well done for getting those patches out so quickly. Cheers ------------------------------------------+----------------------------------- Mailed using ELM on FreeBSD | Karl Strickland PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk |