[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [linux-team] FW: Very bad news: big security hole in all UN*X
Mouais , le problèmes des LC c'est pas nouveau. De plus la majorité des
vulnérabilités pour les LC sont locales.
En plus, si on utilise les LC c'est rarement sur un serveur... mais
plutôt sur une workstation, alors rien d'inquiétant ...
De plus, ce genre de code n'a pas encore été vérifié et corrigé pour les
sprintf mal placés ou les ignobles define MAX sur
quelquechose qui n'est pas testé. (donc cela ne demande qu'a être corrigé)
Enfin, comme il dit, OpenBSD n'est pas vulnérable à ce genre de problème.
alx
Jamart V, 22LW/XSU/SysEnabl Unix wrote:
> Security experts have uncovered a new class of vulnerabilities in Unix and
> Linux systems that let attackers take full control of computers.
> These "format string" vulnerabilities started surfacing about two months
> ago, said Elias Levy, a moderator of the Bugtraq computer security mailing
> list. Some of them have lurked for years in basic Unix programs, but
> security experts only now have begun to find and fix them.
> (...)
> Levy estimates that computer security experts have announced six or seven
> format string vulnerabilities in recent weeks, and Arce predicts many more
> are on the way. And already, security specialists have published on
> Bugtraq
> sample programs that can exploit the weakness.
> The locale vulnerability uses internationalization software that allows
> Unix
> and Linux systems to be used in multiple languages. It's significant
> because
> countless basic Unix programs rely on the locale system to print messages
> such as "password incorrect" in the proper language.
> (...)
> Arce initially found the locale vulnerability on a Sun Microsystems
> server,
> but it affects all Linux and Unix operating systems except OpenBSD and
> FreeBSD, he said.
> (...)
> Format string vulnerabilities are similar to another broad class of
> problems
> called "buffer overflow," which have been around for decades and hinge on
> an
> attacker inserting too many characters into an input field such as a
> password prompt. In a buffer overflow, an attacker also can get a computer
> to run arbitrary instructions that let the attacker take over the
> computer.
>
> more info at:
> http://news.cnet.com/news/0-1003-200-2719802.html?tag=st.ne.1002.tgif.ni
>
> ---
> Vincent Jamart, Sgt.
> AIX System Administrator
> 22 Log. Wing -XSU
> BELGIAN AIR FORCE
> tf: +32-2/701.23.02
> fax: +32-2/701.59.32
> mail: JamartV@baf.mil.be
> ------------------------------------
> Le progrès vient des gens déraisonnables (Georges Bernard Shaw)
>
>
--------
Visit the Linux Supertore Online: http://www.redcorp.com !
If you want to be deleted from the list, send a mail to
majordomo@rtfm.be with "unsubscribe linux-team" in the body.
Archive of the list: http://tania.be.linux.org/
--
----
Alexandre.Dulaunoy@ubizen.com
http://www.ubizen.com
tel +352 26310585 - fax +352 26310586
Ubizen - 166 rue de Dippach - L-8055 Bertrange
--------------------------------------------------
"The nice thing about standards is that there are
so many of them to choose from." A.S. Tanenbaum
--------
Visit the Linux Supertore Online: http://www.redcorp.com !
If you want to be deleted from the list, send a mail to
majordomo@rtfm.be with "unsubscribe linux-team" in the body.
Archive of the list: http://tania.be.linux.org/