On Sun, May 17, 1998 at 02:52:10PM -0500, David Zhao wrote:
.....
>
> this fixes the exploit given and is a classic stack overflow exploit, the
> thing is KDE uses the getenv function multiple times to get the home
> directory (in other kde suites and programs as well) instead of getting it
> from the passwd file, strange. Most are not vulnerable cause they aren't
> suid, but it still seems to be bad programming since you can change the
> environment from the shell. The only suid programs are klock, kppp, and
> the *.kss files, I haven't checked the kss programs for bugs yet, but this
> will fix the klock.
>
to be safe:
#for kde beta 3 and kde beta 4
--- kdebase/kscreensaver/main.cpp.sec Sat Jan 10 01:13:31 1998
+++ kdebase/kscreensaver/main.cpp Mon Feb 23 19:33:45 1998
@@ -206,6 +206,14 @@
int main( int argc, char *argv[] )
{
+ initPasswd();
+
+ if (getgid() != getegid())
+ setegid(getgid());
+
+ if (geteuid() != getuid())
+ seteuid(getuid());
+
Window saveWin;
int timeout = 600;
ProgramName = argv[0];
#for kde beta 4:
--- kdebase/kscreensaver/main.cpp.sec Sat Jan 10 01:13:31 1998
+++ kdebase/kscreensaver/main.cpp Mon Feb 23 19:33:45 1998
@@ -286,11 +294,6 @@
}
i++;
}
-
- initPasswd();
- // drop root privileges before we do anything important
- setuid(getuid());
-
if ( mode == MODE_INSTALL )
{
#for kde beta 3:
--- kdebase/kscreensaver/main.cpp.sec Sat Jan 10 01:13:31 1998
+++ kdebase/kscreensaver/main.cpp Mon Feb 23 19:33:45 1998
@@ -286,8 +294,6 @@
}
i++;
}
-
- initPasswd();
if ( mode == MODE_INSTALL )
{
this is used by klock and all *.kss files.
if you have PAM, kscreensaver need not be suid, the patch is a bit long
(6K) so i will not post it here.
Regards
Luca
--
Luca Berra -- blucaat_private
System and Network Manager - CoMedia s.r.l.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:53:57 PDT