On Wed, 14 Jan 1998, Cotfas Vladimir-Marian wrote: [snip] > > Here's a wrapper for this bug and for the older XF86 security vulnerability > (i.e. XF86_XX -config /etc/shadow) > > Vladimir > > ----------------------------cut from here------------------------------- > /* > Description: X server wrapper > > Goals: > 1. wrap the "-config" security vulnerabillity > 2. wrap the :000000000000...00000000000000009 potential buffer overflow > I would add in a check for a singular arg > some maximum length: It would also be a good idea to clean the environment before invoking the Xserver. (left as an excercise for the reader) Scott Crosby ----------------------------cut from here------------------------------- --- x1.c Thu Jan 15 02:25:26 1998 +++ x2.c Thu Jan 15 02:40:59 1998 @@ -39,6 +39,7 @@ */ #define _DEBUG #define SIZE 1024 +#define MAX_LEN 240 /* guaranteed filled with NULLs by UNIX */ char* args[SIZE]; @@ -75,6 +76,11 @@ syslog(LOG_NOTICE, "security vulnerability at arg #%d user %s \n", i, pass->pw_name); i++; + continue; + } + if(strlen(argv[i]) >= MAX_LEN){ + syslog(LOG_NOTICE, "too long arg at #%d user %s \n", i, pass->pw_name); + i++; continue; } if(argsCount >= SIZE){
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:39:11 PDT