1996-03-29 - Re: Sun patch pulled (was Re: HP & Export of DCE)
Header Data
From: Doug Hughes <Doug.Hughes@Eng.Auburn.EDU>
To: cypherpunks@toad.com
Message Hash: 2c4a1c0f0bfde3ceec6de8635718b8ed8516e01efd47cc2d096671266aff5582
Message ID: <doug-9602281439.AA01371320@netman.eng.auburn.edu>
Reply To: <199603272316.XAA13429@pangaea.hypereality.co.uk>
UTC Datetime: 1996-03-29 19:10:27 UTC
Raw Date: Sat, 30 Mar 1996 03:10:27 +0800
Raw message
From: Doug Hughes <Doug.Hughes@Eng.Auburn.EDU>
Date: Sat, 30 Mar 1996 03:10:27 +0800
To: cypherpunks@toad.com
Subject: Re: Sun patch pulled (was Re: HP & Export of DCE)
In-Reply-To: <199603272316.XAA13429@pangaea.hypereality.co.uk>
Message-ID: <doug-9602281439.AA01371320@netman.eng.auburn.edu>
MIME-Version: 1.0
Content-Type: text/plain
>
>I noticed that Sun's latest libc patch (101759-04) is empty. Previous
>versions contained the complete U.S. version of libc, including the
>tres-dangerous DES and crypt functions. In the current rev only the
>README remains, presumably because:
> EXPORT INFORMATION: This patch includes code which performs
> cryptographic functions, which are subject to U.S. export
> control, and must not be exported outside the U.S. without
> prior approval of the U.S. government. Prior export approval
> must be obtained by the user of this patch.
>
>So, you might ask, what fixes is Sun not distributing???
> (Rev 04)
> 1190985 gethostbyname() can trash an existing open file descriptor.
> 1182835 portmapper silently fails with version mismatch by PC-NFS
> client
> 1219835 Syslog(3) can be abused to gain root access on 4.X systems.
>
Yes, all very dangerous, but, come on, how hard is it to call sun
to get a copy of the patch? (answer, it's not). This is not that big
of a deal.
>Yup, that's right. The syslog hole that was so well publicized by
>CERT will remain open indefinitely because the ITAR makes it illegal
>for Sun to distribute the fix!
>
It's easy to patch yourself too. I had a patch for this three days after
it was announced, distributed via anon FTP and bugtraq. Basically, replacing
syslog.c with one that Perry had written and adding an snprintf.c function.
I've discontinued offering this since Sun's patch is now available.
>So did HP and Sun spontaneously, simultaneously develop crypto awareness,
>or is some gummint dweeb whispering threats in their ear?
>
Who cares as long as they distribute the patch? The international libc
patch is still freely available to anyone who wants it.
--
____________________________________________________________________________
Doug Hughes Engineering Network Services
System/Net Admin Auburn University
doug@eng.auburn.edu
Pro is to Con as progress is to congress
Thread
Return to March 1996
- Return to “cpunk@remail.ecafe.org (ECafe Anonymous Remailer)”
- Return to “Dan Stromberg <strombrg@hydra.acs.uci.edu>”
Return to “Doug Hughes <Doug.Hughes@Eng.Auburn.EDU>”
- 1996-03-28 (Thu, 28 Mar 1996 13:01:23 +0800) - Sun patch pulled (was Re: HP & Export of DCE) - cpunk@remail.ecafe.org (ECafe Anonymous Remailer)
- 1996-03-28 (Thu, 28 Mar 96 08:54:59 PST) - Re: LACC: Sun patch pulled (was Re: HP & Export of DCE) - Dan Stromberg <strombrg@hydra.acs.uci.edu>
- 1996-03-29 (Sat, 30 Mar 1996 03:10:27 +0800) - Re: Sun patch pulled (was Re: HP & Export of DCE) - Doug Hughes <Doug.Hughes@Eng.Auburn.EDU>