From: Dan Stromberg <strombrg@hydra.acs.uci.edu>
Date: Thu, 28 Mar 96 08:54:59 PST
To: cypherpunks@toad.com
Subject: Re: LACC: Sun patch pulled (was Re: HP & Export of DCE)
In-Reply-To: <199603272316.XAA13429@pangaea.hypereality.co.uk>
Message-ID: <315AC451.7D69@hydra.acs.uci.edu>
MIME-Version: 1.0
Content-Type: text/plain


The syslog problem is fixed in baseline SunOS 5.5.

Sun and HP are apparently doing what the stupid law mandates - and they
should do so, whether someone at NSA (or whatever) is on their case or
not.  :)  They should also have someone in their respective legal
departments bucking ITAR very hard.

"tres-dangerous" must have been typed with a snear, no?

ECafe Anonymous Remailer wrote:
> 
> I noticed that Sun's latest libc patch (101759-04) is empty.  Previous
> versions contained the complete U.S. version of libc, including the
> tres-dangerous DES and crypt functions.  In the current rev only the
> README remains, presumably because:
>         EXPORT INFORMATION: This patch includes code which performs
>         cryptographic functions, which are subject to U.S. export
>         control, and must not be exported outside the U.S. without
>         prior approval of the U.S. government.  Prior export approval
>         must be obtained by the user of this patch.
> 
> So, you might ask, what fixes is Sun not distributing???
>     (Rev 04)
>         1190985 gethostbyname() can trash an existing open file descriptor.
>         1182835 portmapper silently fails with version mismatch by PC-NFS
>                 client
>         1219835 Syslog(3) can be abused to gain root access on 4.X systems.
> 
> Yup, that's right.  The syslog hole that was so well publicized by
> CERT will remain open indefinitely because the ITAR makes it illegal
> for Sun to distribute the fix!
> 
> So did HP and Sun spontaneously, simultaneously develop crypto awareness,
> or is some gummint dweeb whispering threats in their ear?