Re: Debian-devel subscriber count
Here's one lurker sticking his head up for a second. I lurk so I get some picture of what's happening on the hamm front, beyond what I get on debian-user. I don't post because I don't develop (yet ;). TL On 13 Dec 1997 [EMAIL PROTECTED] wrote: > From: [EMAIL PROTECTED] > To: debian-devel@lists.debian.org > Date: 13 Dec 1997 20:38:31 - > Subject: Debian-devel subscriber count > > Goodness gracious. Debian-devel has >400 subscribers. Must be a lot of > lurkers. > > Bruce -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Buffer overrun in Redhat 5.0 (fwd)
Hi,
This concerns a potential buffer overrun problem with glibc2 -- wanted to
make sure that the relevant Debian people were aware of it. I'm not
running a hamm system anymore so I can't test it against the Debian libc6.
TL
-- Forwarded message --
From: Wilton Wong - ListMail <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Date: Mon, 15 Dec 1997 06:57:45 -0700
Subject: Re: Buffer overrun in Redhat 5.0
So far I've gotten a few reports back saying that my trace_sehll program
doesn't work as expected, all I can say is it worked for me. In most cases
it just returned "XXX..XXX: host unknown" or something similar..
BUT if you increased the buffer size the programs still segfaults,
although they do not immediatly yield a root shell..
A buffer overrun != a root shell in all cases, although in about 99% of
them they do, the problem is finding the right spot to put the shellcode
or whatever it is that you want the thing to return..
Getting root is not important here, what is important is that there is a
buffer overrun and you can get at it, whether or not you can get a shell
out of it is irrelavent, a buffer overrun is shoddy programming on
someone's part and that's the real problem not if you can get root or
not. Root is just a bonus, and yes it's nice but..
Story thus far:
Okay I noticed that if I ran tracroute with a really long param it
segfaults and I wondered if I could exploit this, I could, I checked to
see that I didn't have a twisted version of traceroute, I didn't, so I
tried ping as well same result. That's when I posted.
Then almost immediatly afterward I also notice rsh and rlogin as they too
were suid and I posted that too..
Then I noticed I could also segfault telnet.. that was odd..
I downloaded sources for all of there and built them myself and scanned
thru most of the code to see if there were any obviuos holes there wern't
I wasn't expecting to find any as these program come standard with almost
every OS.
The problem lise deep within one of the libraries.. glibc2 joy... the
programs themselves are not vulnerable. For example a simple program like
this should in no cases yield a segfault:
vulnerable.c
#include
void main(int argc, char *argv[]) {
struct hostent *hostinfo = 0;
if (argc > 1) {
hostinfo = gethostbyname(argv[1]);
}
if(hostinfo)
printf("Host name: %s\n", hostinfo->h_name);
}
but it can be made to segfault with a extra long parameter..
The gdb output wasn't much help:
---
[EMAIL PROTECTED]:~/src/test$ ./vulnerable `buff-over`
Segmentation fault (core dumped)
[EMAIL PROTECTED]:~/src/test$ gdb vulnerable core
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.16 (i386-redhat-linux), Copyright 1996 Free Software Foundation,
Inc...
Core was generated by `./vulnerable
XX'.
Program terminated with signal 11, Segmentation fault.
find_solib: Can't read pathname for load map: Input/output error
#0 0x2e726174 in ?? ()
(gdb) bt
#0 0x2e726174 in ?? ()
#1 0x74656e in ?? ()
Cannot access memory at address 0x736b6361.
(gdb) quit
[EMAIL PROTECTED]:~/src/test$
---
Ahh.. symbolic names of ?? and ?? I know what that is brilliant!!
But the strace of it shows that before the program segfaults it opens
libresolve, and I suspect that is where the overrun lies..
Why it will yield a root shell for me and not for you I don't know..
could be a million number of things all I know is that there is a buffer
overrun and for me it is exploitable... =)
- Wilton
-
Wilton WongBlackStar Communications
URL: http://www.blackstar.net 16121 - 57 Street
Email: [EMAIL PROTECTED] Edmonton AB T5Y 2T1
Tel: (403) 486-7783 Fax: (403) 484-6004
-
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
[EMAIL PROTECTED] .
Trouble? e-mail to [EMAIL PROTECTED] .
Re: SPAM to mailing lists! STOP NOW.
On 16 Dec 1997 [EMAIL PROTECTED] wrote: > We do use qmail. It might be worth applying the MAPS RBL (Realtime Blackhole List) patches to qmail available at http://www.qmail.org/rbl/ Given the volume of the debian lists, it would make sense for a DNS server on the lists.debian.org LAN to be a secondary of the rbl.maps.vix.com zone (details are at http://maps.vix.com/rbl/usage.html#DNSsub ) TL -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: unwanted e-mail
Correction. Since you are subscribed to the digest version of debian devel, send the email to '[EMAIL PROTECTED]' with the word 'unsubscribe' in the body of the message. Sorry for the confusion. Thomas Lakofski. On Mon, 29 Dec 1997, Eric Lewis wrote: > From: Eric Lewis <[EMAIL PROTECTED]> > To: "'debian-devel@lists.debian.org'" > Date: Mon, 29 Dec 1997 19:20:47 - > Subject: unwanted e-mail > > Please remove me from your distribution list immediately. I am not, have > never been or intend to be, a Linux user > > -Original Message- > From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED] > Sent: 28 December 1997 05:40 > To: [EMAIL PROTECTED] > Subject: debian-devel-digest Digest V97 #803 > > << Message: Untitled Attachment >> << Message: tk 8.0 >> << Message: Re: > Non-maintainer release of python-1.5 appreciated ? >> << Message: Re: > ldconfig warnings >> << Message: exim or procmail bug? >> << Message: Re: > slib and Debian ? >> << Message: Re: Mail delivery failed: returning message > to sender (fwd) >> << Message: Re: problem with libmime-perl_3.204-1.deb in > hamm >> << Message: Re: What warrants a non-maintainer release number? >> > << Message: Re: intent to package: doom! >> << Message: Re: tk 8.0 >> << > Message: RE: su and init scripts >> << Message: Re: su and init scripts >> > << Message: Wanted: volunteer to test amd and findutils >> << Message: Re: > slib and Debian ? >> << Message: Re: WNPP: working on xmbdfed >> << > Message: Re: slib and Debian ? >> << Message: next release ? >> << Message: > Re: next release ? >> << Message: What's Debian's /usr/src policy. >> > -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: non-hub 10baseT connections
On Mon, 29 Dec 1997, Stephen Zander wrote: > Vincent Renardias wrote: > > Yes, you can, but you need a special ethernet cable with a pair of wires > > crossed. (I made a few ones, but you should consider to buy it if you have > > no special wiring knowledge. Costs about $8 here.) > > Given the specs, I could but not without tools You'd be surprised... I described a cross cable to a friend of mine, and told him that he'd have to go and get one made up or get some tools. He mailed me back 5 minutes later to tell me that he'd got it working. I asked him how, he said he'd pried the cable apart, done the cross (he'd never seen ethernet before, and yet he got it right), and then used duct tape to 'secure' the cable back in the cable end. It worked, and it still does. Wouldn't try this for a production system though... ;) Thomas. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: I2O specs mailed to webmaster
On 12 Oct 1998, Gregory S. Stark wrote: > On the off chance that the original sender is reading this, or looking at the > e-mail archive: Hotmail is not an anonymous mailing system, and makes no > pretense of such. They will happily hand over records if needed. Equally the information you supply to hotmail can be complete garbage and you can access their servers via an anonymizing proxy. -thomas
sendmail logging disappeared
hmmm, just rebooted for the first time in 20 days and my sendmail daemon isn't doing any logging. no problems in /etc/syslog.conf, and sendmail invoked by pine drops logs in the right places. daemon logs its invocation and then goes about its business (correctly), but doesn't log anything as far as i can see anywhere. i'm running slink current as of today. ideas? -thomas
Re: sendmail logging disappeared (fixed)
Removed and reinstalled sendmail binary, working again. Mysterious. On Wed, 14 Oct 1998, Thomas Lakofski wrote: > From: Thomas Lakofski <[EMAIL PROTECTED]> > To: debian-devel@lists.debian.org > Date: Wed, 14 Oct 1998 14:05:43 + (UTC) > Subject: sendmail logging disappeared > > hmmm, just rebooted for the first time in 20 days and my sendmail daemon > isn't doing any logging. no problems in /etc/syslog.conf, and sendmail > invoked by pine drops logs in the right places. daemon logs its > invocation and then goes about its business (correctly), but doesn't log > anything as far as i can see anywhere. > > i'm running slink current as of today. > > ideas? > > > -thomas > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -thomas
latest sysklogd broken?
Hi, Going to contradict myself after some more investigation that I've done: Seems that the latest sysklogd package breaks sendmail's (and cron's, just checked) logging to syslog -- it works for a few minutes, and then no more logs. I don't know if this is universal (only checked 2 daemons), but it looks like it. If I'm barking up the wrong tree, sorry. Would like to know what's going wrong... -thomas
apache-ssl 1.3.3+1.27-1 depends on libssl09
...and as of yet, no libssl09 on non-us.debian.org. (there's a 180 day old bug report on this one) -Thomas
new unstable please
Hi, I noticed that with the transition to frozen, as expected, packages too unstable to be in frozen have vanished (on ftp.debian.org, at least). I hope I can expect a new unstable to appear within a few days, if only to drop those packages which were removed from frozen into it. I guess a name needs to be agreed on. Thomas
Re: getting kernel 2.2 into slink
On Fri, 22 Jan 1999, Brian White wrote: > I'll share that fantasy. As linux becomes more and more mainstream, it's > going to be even more difficult to dream. Of course, the reality is that > most users don't need the 2.2 kernel anyway. unfortunately (maybe) for Debian, very few inexperienced users choose it (since they don't know about it), and instead choose Red Hat or another commercial vendor in the limelight. -tl .. please forgive my abrupt ending hre - but my conection is xtrememleyyhiclmelyey BAD hiccuppy etc must sign off - EF D8 33 68 B3 E3 E9 D2 C1 3E 51 22 8A AA 7B 98
Re: Reality check! [was: Re: Debian goes big business?]
On Sat, 23 Jan 1999, Paul Seelig wrote: > Please don't let's start *this* kind of discussion yet again. It's > *not* about appeasing to the masses of unskilled consumers. It's > about increasing ease of installation, use and maintenance. Skilled > people definitely benefit from such time saving aspects in their daily > jobs. Even professionals don't want to always have to deal with > things which explicitly require a professional. Excellence in design > doesn't necessarily have to result in awkwardness. The fact that even > the "mass of unskilled consumers" benefit from this is a completely > different issue. The point is that what's good for unskilled people > can be equally good for skilled people who no by themselves how to > provoke trouble if they really want it. ;-) As an experienced Debian user, I'll second these sentiments. Since buzz I've been waiting for the Debian installation process to become a (as it should be) 30 minute process, hopefully with some tools included for mass installations. I use Debian myself exclusively but have to hesitate before recommending it to others new to Linux because the process of getting started is harder than it should be. I also am disappointed with the attitude of some people towards making these things easier to do. Is it some kind of techno-snobbery, maybe? Making things easier does not necessitate dumbing-down things for more competent users. Once up and running, a Debian system is far more maintainable than the alternatives -- a great factor in on-going ease of use. Can some focus be brought to getting there with similar ease? I've been with Debian for over 2 years now and would be sad to have to abandon it in the long run because of 'we don't do that' politicking instead of pragmatism amongst developers. -tl .. please forgive my abrupt ending hre - but my conection is xtrememleyyhiclmelyey BAD hiccuppy etc must sign off - EF D8 33 68 B3 E3 E9 D2 C1 3E 51 22 8A AA 7B 98
Re: Reality check! [was: Re: Debian goes big business?]
On Sat, 23 Jan 1999, Raul Miller wrote: > thomas lakofski <[EMAIL PROTECTED]> wrote: > > I also am disappointed with the attitude of some people towards making > > these things easier to do. Is it some kind of techno-snobbery, maybe? > > In the context of initial installation, I think it's laziness -- a > refusal to examine problems. > > That said, the boot-floppies people seem to be making progress (perhaps > not as fast as everyone would like, but better than what lots of other > people have been doing). OK, since it seems that this kind of thing will probably only happen in a commercial context, maybe it would make sense to arrange commercial sponsorship of Debian in a bigger way. Debian seems to have many attributes which would make it more suitable for large corporate environments than other dists -- it's possible that if this could be pointed out to the right potential installation sites development funding would be forthcoming -- and with that, the means to pay developers to do stuff that they might not be motivated to do out of the goodness of their hearts. (I guess compare with Red Hat - Intel/Netscape/VCs) I guess I'll ask at my current place of work -- big swiss bank where they use Solaris exclusively and have expressed interest in Linux because of the benefit it would have for the bottom line. -tl .. please forgive my abrupt ending hre - but my conection is xtrememleyyhiclmelyey BAD hiccuppy etc must sign off - EF D8 33 68 B3 E3 E9 D2 C1 3E 51 22 8A AA 7B 98
Re: Reality check! [was: Re: Debian goes big business?]
On Sun, 24 Jan 1999, Marcus Brinkmann wrote: > On Sat, Jan 23, 1999 at 08:51:25PM +0000, thomas lakofski wrote: > > OK, since it seems that this kind of thing will probably only happen in a > > commercial context, maybe it would make sense to arrange commercial > > sponsorship of Debian in a bigger way. > > I think the first part of your sentence is a bit unfair. To make > installation easier requires hard work. If it would be easy, it would have I understand the difficulty of the task -- I think it's also fair to say that because it's not the most glamourous of tasks it might be easier to attract developers to do it with some funding. > been long done. The trick is to keep flexibility (and don't tell me SuSE is > flexibel). Doing it easy for the newbie and configurable for the experienced > user requires a well though out configuration and administration system. At > least for multi-installation this is currently developed on the > debian-admintool list. It's certainly possible to have ease and flexibility -- the install can ask you as its' first question whether you want a 'typical install' or 'custom setup'. Since there is no typical install really, some simplified choice of roles could be presented -- say Desktop, Intranet Server or Internet Server. Custom setup could then be left as flexible as necessary. > Hardware autodetection would be another good thing, but only if implemented > well and reliable. This does only work with open hardware specifications. > > It's not the lack of interest, but the lack of real, skilled contributions > in this area, which addresses all concerns. Certainly -- again, maybe it would be easier to attract skilled developers with some sponsorship. > Needless to say that any contribution is welcome, be it from volunteers or > commercial organizations. But let's not drag Debian too deep into agreements > with commercial contributors. If you can convince a company to write a good > installation procedure, I am sure nobody will neglect it, provided it is > technically convincing. Debian does make decisions on technical grounds, and > I would not like to see this changed. I was thinking that the contributions would be financial (rather than code) to existing developers (or similarly-minded new ones) so that they could concentrate more on Debian development and still be able to earn a living. rgds, -tl .. please forgive my abrupt ending hre - but my conection is xtrememleyyhiclmelyey BAD hiccuppy etc must sign off - EF D8 33 68 B3 E3 E9 D2 C1 3E 51 22 8A AA 7B 98
