CVE
- Id
- 8992
- CVE No.
- CVE-2004-0564
- Status
- Candidate
- Description
- Roaring Penguin pppoe (rp-ppoe), if installed or configured to run setuid root contrary to its design, allows local users to overwrite arbitrary files. NOTE: the developer has publicly disputed the claim that this is a vulnerability because pppoe "is NOT designed to run setuid-root." Therefore this identifier applies *only* to those configurations and installations under which pppoe is run setuid root despite the developer"s warnings.
- Phase
- Assigned (20040614)
- Votes
- NOOP(1) Christey
- Comments
- Christey> In addition to the public statement made to Bugtraq, David | F. Skoll, the developer of pppoe, says: | >CVE-2004-0564 is a | >bogus "vulnerability". rp-pppoe is NOT meant to be installed | >setuid-root. One might as well file a "vulnerability" on "cat" | >because if "cat" is setuid-root, then an "attacker" can read any file | >on the system. | > | >This vulnerability is more properly a Debian vulnerability because | >Debian ... insecurely installs rp-pppoe suid-root. | > | >Please add my comments to the "Comments" field of the CVE; I don"t think | >it should be blessed with an official listing.
