On Tue, Jan 09, 2001 at 01:41:41PM +0100, Christoph Baumann wrote: > On Tue, Jan 09, 2001 at 11:08:56AM +0000, Julian Gilbey wrote: > > Most weird. I get this behaviour when running through a setuid root > > strace, but I don't get the error messages (and hence the content of > > /etc/shadow) when I don't use strace. I'm still running potato. > > I have some more oddities to add. > When I set RESOLV_HOST_CONF=/etc/shadow and run "fping debian.org" I don't > get /etc/shadow displayed. Even running it with a +s strace doesn't work. > But when I use "sudo fping ..." I get /etc/shadow displayed (which > shouldn't be such a big hole in that case). I too tried it with potato.
Potato is not vulnerable. This is a woody/sid only bug (i.e. glibc 2.1.9x and greater, such as the 2.2 in woody/sid). The bug is not that it prints this info, but that it uses the env variable even when suid/sgid. This wasn't supposed to happen, and the actual fix was a missing comma in the list of secure env vars that were supposed to be cleared when a program starts up suid/sgid (including RESOLV_HOST_CONF). Ben -- -----------=======-=-======-=========-----------=====------------=-=------ / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ ` [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] ' `---=========------=======-------------=-=-----=-===-======-------=--=---'