[ http://www.rootshell.com/ ]

From form@vs.itam.nsc.ru Fri Jul 17 12:47:17 1998
Date: Fri, 17 Jul 1998 19:52:31 +0700 (NOVST)
From: Oleg Safiullin <form@vs.itam.nsc.ru>
To: www-request@rootshell.com
Subject: wide-dhcp security hole

Bug found in OpenBSD port of wide-dhcp /created by me :-)/.

WIDE DHCP server creates /tmp/addrpool_dump without checking if this file
already exists, so any user can overwrite any file doing something like this:

ln -s /etc/master.passwd /tmp/addrpool_dump

This bug already fixed in OpenBSD ports tree. The author of wide-dhcp is
notified.

If you are currently using wide dhcp, you can fix this error by adding

unlink(ADDRPOOL_DUMP) before fopen(ADDRPOOL_DUMP, "w+") in files
server/dhcps.c
server/database.c

Sorry for patchless message - I've made this fix only over patched sources for
OpenBSD. And of course, sorry for my poor English :)

---
* FORTRAN: God is real, unless declared integer...