From billy@utdallas.edu  Wed Sep  4 05:46:05 1996
Received: from utdallas.edu (utdallas.edu [129.110.10.1]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id FAA26370 for <best-of-security@suburbia.net>; Wed, 4 Sep 1996 05:45:55 +1000
Received: from frog.utdallas.edu (frog.utdallas.edu [129.110.10.11]) by utdallas.edu (8.7.5/8.7.3) with SMTP id OAA25938; Tue, 3 Sep 1996 14:45:28 -0500 (CDT)
Received: by frog.utdallas.edu (SMI-8.6/SMI-SVR4)
	id OAA01611; Tue, 3 Sep 1996 14:45:28 -0500
From: billy@utdallas.edu (Billy Barron)
Message-Id: <199609031945.OAA01611@frog.utdallas.edu>
Subject: BoS:      [BUG] Vulnerability in TIN (more info)
To: best-of-security@suburbia.net
Date: Tue, 3 Sep 1996 14:45:27 -0500 (CDT)
Cc: cert@cert.org
X-WWW-Page: http://www.utdallas.edu/acc/billy.html
X-Mailer: ELM [version 2.4 PL25]
Content-Type: text

Shyne-Song Chuang outlined a security problem with Tin.  I have
verified that the problem does exist.  However, there is an
easy fix.  When compiling TIN, add the "-DDONT_LOG_USER" flag
to your compile.  It will turn off the code which creates this
file.

However, that is not the only Tin security hole.  I discovered another
one.  If debugging is turned on, another file is created in /tmp with
mode 666, which can be explioted.  The filename is a moving target, but
I am sure it is predictable in some way (I didn't investigate enough to
figure it out).  To avoid this problem, make sure you did not compile
with "-DDEBUG".

-- 
Billy Barron                      billy@utdallas.edu
New Technology Specialist 
University of Texas at Dallas     URL:http://www.utdallas.edu/