[liboping] Version 1.3.3 available
octo at verplant.org
Thu Oct 1 09:20:06 CEST 2009
Steve Kemp has identified an issue with oping, the ping application
included with liboping. Using the “-f” option, you can tell oping to
read the hostnames from a file instead of specifying them on the command
line. If liboping cannot resolve a hostname, oping will complain about
this on standard error.
The problem is that oping is often installed as SetUID-root. In this
case the program can open *any* file and will basically print its
content to STDERR as error messages.
The “-f” option has been changed to accept “-” (i. e. read from standard
input) as the only argument unless the real and effective user IDs
Everybody who has installed oping with SetUID-root (so that normal users
can use the program) are advised to upgrade.
Version 1.3.3 is available from liboping's homepage or via these direct
The Debian package 1.3.3-1 fixes this problem, too, and is available in
2009-09-29, Version 1.3.3:
* oping: Disable the “-f” option if the real and effective user IDs
don't match. If that is the case the program is probably running
SetUID and should not read foreign files. Unfortunately, dropping
privileges before reading the file is not possible, because they are
required for opening raw sockets.
Reading from STDIN using “-f -” is still possible.
Thanks to Steve Kemp for reporting this issue as Debian bug #548684.
Florian octo Forster
Hacker in training
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.verplant.org/pipermail/liboping/attachments/20091001/cb8b7b43/attachment.pgp
More information about the liboping