Path: utzoo!attcan!uunet!mcvax!hp4nl!phigate!prle!prles2!nvpna1!collins
From: collins@nvpna1.prl.philips.nl (Donal O Coileain)
Newsgroups: comp.sys.apollo
Subject: Re: security hole
Message-ID: <641@prles2.UUCP>
Date: 10 Aug 89 09:21:30 GMT
References: <44e9d7d4.c4b0@apollo.HP.COM> <511@eda.com>
Sender: nobody@prles2.UUCP
Reply-To: collins@nvpna1.UUCP (Donal O Coileain)
Organization: Philips Research Labs (Nat Lab), Eindhoven, The Netherlands.
Lines: 30

In article <511@eda.com> jim@eda.com (Jim Budler) writes:
>From Apollo?
>
>	Every month, an invoice arrives. (Well, not any more 8^)

Apollo produces a patch tape every month. In the 9.7 patch tape for JUNE 89
months before this discussion was started I read :

 "Patch 184 APR DCB34 : A security hole existed in the pad_$dm_cmd
	   ..........................
  Now if the two user_ids are not equal, the command is disallowed and
  the following error status is returned:

	'operation is illegal when no display is attached'"

You cannot blame Apollo because you don't read the release notes or 
understand the bugs/fixes.

>I fully agree with the posting of the bug. Look, INSTANT action.
>Explicit mention of compatibility of /lib/streams. High awareness
>in community of seriousness of bug.

I see no problem in posting the problem, however I feel that it is not
necessary to post the source code as well.


Donal O Coileain.   collins@apolloway.prl.philips.nl   or
                    collins%nvpna1.prl.philips.nl@uunet.uu.nl
-- And out of the gloom a voice said, 'Smile and be happy for things could
   be a lot worse'. So I smiled and was happy and behold, things got worse --