dip-3.3.7o security hole

From: Goran Gajic (ggajicat_private)
Date: Tue May 05 1998 - 04:28:21 PDT

Next message: dizzy: "Fix for Quake Servers"

Previous message: Christian Antkow: "Re: RSI.0001.05-01-98.ALL.QUAKE_SERVER"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

There is potencial security hole in dip-3.3.7o which is installed
suid root in Slackware 3.4 distribution (if selected). Just try this:
~> dip -k -l `perl -e 'print "a" x 2000'`
and you will get something like:

DIP: cannot open /var/lock/LCK..aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaa:No such file or directory
Segmentation fault

If you look dip source, main.c, or do strace, you will find that problem
is with sprintf, line 192:

     sprintf(buf, "%s/LCK..%s", _PATH_LOCKD, nam);

Here is obvious patch:

--- main.c      Tue Feb 13 03:03:35 1996
+++ main.c      Mon May  4 23:36:49 1998
@@ -189,7 +189,7 @@
     return;
   }

-  sprintf(buf, "%s/LCK..%s", _PATH_LOCKD, nam);
+  snprintf(buf, sizeof(buf), "%s/LCK..%s", _PATH_LOCKD, nam);

   fp = fopen(buf, "r");
   if (fp == (FILE *)0) {

Or chmod -s dip.

Goran Gajic

Next message: dizzy: "Fix for Quake Servers"
Previous message: Christian Antkow: "Re: RSI.0001.05-01-98.ALL.QUAKE_SERVER"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:52:15 PDT