Re: GNU/Linux 'info Buffer Overflow

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: GNU/Linux 'info Buffer Overflow
From: "Janusz A. Urbanowicz" <alex@xxxxxxxxxxxxxxxxxxxx>
Date: Sat, 7 Aug 2004 17:31:11 +0200
In-reply-to: <20040806214112.GA56688@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20040806004621.25110.qmail@xxxxxxxxxxxxxxxxxxxxx> <20040806214112.GA56688@xxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.3.28i

On Fri, Aug 06, 2004 at 11:41:12PM +0200, Niels Bakker wrote:
> /usr/bin/info is not setuid, and I can't think of any way to invoke the
> program where it would allow for privilege escalation.  Why is the
> severity "grave?" Remember that this is bugtraq, about security, not
> the Debian bug tracking system, or texinfo's gnats.

I think that the severity is overstated for Debian BTS too, IMO - and
according to Debian Policy - this should be 'normal' or 'serious' at
highest.

Alex

PS> Niels, your advertised address bounces with virtusertable errors,
I tried to send this offlist first.
-- 
0x46399138

Attachment: pgpXENOBvhObF.pgp
Description: PGP signature

References:
- GNU/Linux 'info Buffer Overflow
  - From: Josh Martin
- Re: GNU/Linux 'info Buffer Overflow
  - From: Niels Bakker

Prev by Date: Re: Winmx Software making calls to Port 25
Next by Date: Re: Winmx Software making calls to Port 25
Previous by thread: Re: GNU/Linux 'info Buffer Overflow
Next by thread: Re: GNU/Linux 'info Buffer Overflow
Index(es):
- Date
- Thread