Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Submission + - FreeBSD trivial ROOT, first on 6.X, now on 7.X (theregister.co.uk)

udippel writes: The Register made some headlines [theregister.co.uk] first, scary. There is a video [vimeo.com] that demos how to compile a small program; or upload it to your unprivileged shell, or exploit some scripting on a web server to get some shell, for example the one needed to send out mail, and off you go. Since it is the exploit of a race condition, the whole system could as well crash or hang. In its article, The Register still says "Versions 7.1 and and beyond are not vulnerable". Just one day later, the author uploaded another video [vimeo.com], demonstrating the whole process another time, this time for FreeBSD 7.2.
Scary. I start to question FOSS, and wonder, how few cold eyes have reviewed this code, overlooking a NULL-dereference plus a race condition.
Icing on the cake: Przemyslaw Frasunek, who discovered the misery, duly informed FreeBSD on August 29th; but his message, so the FreeBSD guys, "got lost in the slew".
Is this the kind of OS we will gladly recommend for security-related applications?

Slashdot Top Deals

They are called computers simply because computation is the only significant job that has so far been given to them.