On Wed, 14 Jan 1998, Cotfas Vladimir-Marian wrote:
[snip]
>
> Here's a wrapper for this bug and for the older XF86 security vulnerability
> (i.e. XF86_XX -config /etc/shadow)
>
> Vladimir
>
> ----------------------------cut from here-------------------------------
> /*
> Description: X server wrapper
>
> Goals:
> 1. wrap the "-config" security vulnerabillity
> 2. wrap the :000000000000...00000000000000009 potential buffer overflow
>
I would add in a check for a singular arg > some maximum length:
It would also be a good idea to clean the environment before invoking
the Xserver. (left as an excercise for the reader)
Scott Crosby
----------------------------cut from here-------------------------------
--- x1.c Thu Jan 15 02:25:26 1998
+++ x2.c Thu Jan 15 02:40:59 1998
@@ -39,6 +39,7 @@
*/
#define _DEBUG
#define SIZE 1024
+#define MAX_LEN 240
/* guaranteed filled with NULLs by UNIX */
char* args[SIZE];
@@ -75,6 +76,11 @@
syslog(LOG_NOTICE, "security vulnerability at arg #%d user %s \n",
i, pass->pw_name);
i++;
+ continue;
+ }
+ if(strlen(argv[i]) >= MAX_LEN){
+ syslog(LOG_NOTICE, "too long arg at #%d user %s \n", i, pass->pw_name);
+ i++;
continue;
}
if(argsCount >= SIZE){
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:39:11 PDT