*BSD News Article 86142


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!howland.erols.net!newsxfer3.itd.umich.edu!newsxfer2.itd.umich.edu!agate!theos.com!deraadt
From: deraadt@theos.com (Theo de Raadt)
Newsgroups: comp.unix.bsd.bsdi.misc
Subject: Re: BSDI: New official patch for BSD/OS 2.1 (U210-032 -- SECURITY)
Followup-To: comp.unix.bsd.bsdi.misc
Date: 05 Jan 1997 07:35:50 GMT
Organization: Theo Ports Kernels For Fun And Profit
Lines: 70
Message-ID: <DERAADT.97Jan5003550@zeus.theos.com>
References: <5a15es$bnt@omega.metrics.com>
NNTP-Posting-Host: zeus.theos.com
In-reply-to: polk@BSDI.COM's message of 27 Dec 1996 13:44:44 -0500
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:5509

In article <5a15es$bnt@omega.metrics.com> polk@BSDI.COM (Jeff Polk) writes:
   There is a new security patch (U210-032) which fixes problems
   in the /etc/security and /etc/daily.local scripts.  Sorry for the 
   announcement immediately before the holidays, but since information
   on this problem was posted to bsdi-users, bugtraq, and potentially
   other forums, it seemed that the exploitation information was already
   widely available.

   BSDI always appreciates being advised of security problems before
   they are announced to the world.  If you discover a security related
   problem with the system, please give us a day or two to address it
   before publishing it widely.

Yeah, a number of people got flamed by BSDI employees over this
advisory being posted to bugtraq.  But the record is clear that BSDI
was alerted about these problems _well_ in advance.  Like around
October 28 and November 29.  BSDI has also been told to look at
OpenBSD for other security fixes too.

First of all it was quite a surprise to be flamed privately about the
advisory going to bugtraq (Heck, I didn't even post it ;-).  But
moreso, this BSDI advisory smells like slander to those people who
found and fixed the problem.  (David for finding these problems, Todd
Miller who provided substantial help at squishing the numerous other
similar /tmp races in the source tree, and myself for fixing just as
many).

The claim above, without mentioning any names, is that we suck 'cause
we didn't tell you in advance.  The truth is quite different.  Mail
archives make it quite clear.

Also I note that this posting to bugtraq was surrounded by others
discussing vendors and *CERT who are not giving credit to the finders
of the bugs.  Almost every person felt that the vendors and *CERT
should give credit.  Where's the credit in this posting?  Recently
LOTUS and SGI have giving credit in their advisories.

For the record, the /etc/daily and /etc/security problems were found
by David at secnet.com.  Like basically all security problems these
days, it was first reported on the bugtraq mailing list.

Regarding the other BSDI security advisory, the cron/crontab problems
were found by David and myself; and fixed in OpenBSD.  The crontab
maintainer was told about those in September or so but no fixes came
out.  Eventually it was time for the crontab problems to be reported
on bugtraq.  Hmm.  Evidently BSDI has decided to credit AUSCERT
instead.  Quite simply AUSCERT does not deserve that much credit for
ripping off a bugtraq advisory and simply re-packaging it!  BSDI knew
we had found those bugs.

I'm sorry, BSDI, but this is not what security is about.  When you
annoy the people who find the bugs you are not going to get the
advance warning you ask for (even though you have, and dropped the
ball).

Finally, October 28 is a lot more than a day or two before Christmas
Day.

Date:    Mon, 28 Oct 1996 14:34:48 -0700
To:      Keith Bostic <bostic@bsdi.com>
From:    "Todd C. Miller" <millert@xerxes.home.courtesan.com>
Subject: /etc/security can be used to overwrite files as root
---
Date:    Fri, 29 Nov 1996 21:35:33 -0700
To:      Keith Bostic <bostic@vangogh.cs.berkeley.edu>
From:    "Todd C. Miller" <millert@xerxes.home.courtesan.com>
Subject: fyi: security hole in /etc/security ;-) [BSD/OS 2.1]
--
This space not left unintentionally unblank.		deraadt@theos.com
www.OpenBSD.org -- We're fixing security problems so you can sleep at night.