Once again (I ranted enough about this on bugtraq, I thought):
OpenBSD does NOT have an adduser vulnerable to the problem describe,
and its useradd utility SPECIFICALLY has command-line options to
prevent the problem described.
I'm just a little pissed that that vulnerability was added to the
database for ANY vendor. None of the programs try to gauruntee unique
names, AFAIK (although openbsd, again, does! if called properly).
This vulnerability would very properly belong to the any Web-based
Adduser scripts that call the OS' useradd programs IMPROPERLY. As no
actual packages were named in the advisory, it most properly belongs
as a "Secure programming" problem.
OpenBSD's talkd was vulnerable to exploitation, so was its ftpd and
fstat.
The reason you see so many FreeBSD security advisories, is that they
watch for problems with programs in their ports collection, and send
updates about them. OpenBSD does not, although it does update its
ports as quickly as FreeBSD for security problems.
Sorry, mouss hit a button by bringing that up :)
jeff
> >> There have been about two dozen FreeBSD advisories in the
> >> last month! I can't even remember the last OpenBSD advisory I saw.
> >
> >
> > so here is a confidence: a look at securityfocus lists:
> > OpenBSD:
> > 2000-11-10: adduser vulnerability shared with RedHat)
> > 2000-10-05: talkd vuln.
> > 2000-10-05: arp related DoS
> > 2000-10-04: fstat vuln
>
> The adduser vulnerability seems applicable. I can't actually get to my
> OpenBSD 2.6 box right now or I'd test it. Of course, since normal users
> aren't generally allowed to run such things, it seems fishy. I wonder
> what the perms are on add* on obsd.
>
> The talkd vulnerability isn't in the current release. Regardless I
> disable such useless services as talk on my systems, so it's not an
> issue - And please, show me an exploit. But I digress...
>
> The ARP DoS attack doesn't work on the LAST version of obsd (2.7) let
> alone the latest.
>
> The fstat vulnerability is listed as affecting 2.7 and below. It does
> however seem like a nasty potential exploit. I'm sure it will be fixed
> quite rapidly.
>
> >
> > .....
> >
> > yes FreeBSD has more reports, but most concern ports, which are
> > third party software that none is forced to install, nor are they
> > installed by default.
>
> 2000-11-14: FreeBSD ppp deny_incoming Vulnerability
> 2000-11-01: FreeBSD getnameinfo() Denial of Service Vulnerability
> 2000-10-13: FreeBSD fingerd File Disclosure Vulnerability
> 2000-09-13: FreeBSD eject Buffer Overflow Vulnerability
> This one's a potential local root exploit.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
