On Fri, Nov 17, 2000 at 06:24:33AM -0900, Ethan Benson wrote: > > On Fri, Nov 17, 2000 at 07:54:26AM -0600, An Thi-Nguyen Le wrote: > > On Fri, Nov 17, 2000 at 03:46:19AM -0900, Ethan Benson typed: > > } On Fri, Nov 17, 2000 at 12:36:54PM +0000, thomas lakofski wrote: > > } > fyi -- i've not tried it. > > } > > } i have, it does not work, i tried several different variations and > > } failed to create any files in /var/spool/cron. > > } > > } i do not believe debian is vulnerable. > > > > Wrong, we *are* vulnerable. Take a look /var/spool/cron/crontabs > > instead. > > ah, your right, however this is not exploitable since > /var/spool/cron/crontabs is mode 700. > > still should be fixed though.
Wrong again :) In most clean Debian installs it is not mode 0700. There will be a security advisory shortly. Dan /--------------------------------\ /--------------------------------\ | Daniel Jacobowitz |__| SCS Class of 2002 | | Debian GNU/Linux Developer __ Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \--------------------------------/ \--------------------------------/
