I installed SAS without any suid bits May of 2000, and no one has complained about anything not working. Removing the suid bit probably won't hurt anything. Also, my version is 8.00 and seems only to have the format string problem, not the buffer overflow. On Tue, Jan 29, 2002 at 09:59:41AM +0000, Wodahs Latigid wrote: > IMPACT > > sastcpd is installed setuid root by default, and therefore > full root privileges can be obtained through exploitation > of either of these vulnerabilities. > Version tested: > SAS Job Spawner for Open Systems version 8.01 -- William Colburn, "Sysprog" <wcolburn@nmt.edu> Computer Center, New Mexico Institute of Mining and Technology http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
