On Sun, May 17, 1998 at 02:52:10PM -0500, David Zhao wrote: ..... > > this fixes the exploit given and is a classic stack overflow exploit, the > thing is KDE uses the getenv function multiple times to get the home > directory (in other kde suites and programs as well) instead of getting it > from the passwd file, strange. Most are not vulnerable cause they aren't > suid, but it still seems to be bad programming since you can change the > environment from the shell. The only suid programs are klock, kppp, and > the *.kss files, I haven't checked the kss programs for bugs yet, but this > will fix the klock. > to be safe: #for kde beta 3 and kde beta 4 --- kdebase/kscreensaver/main.cpp.sec Sat Jan 10 01:13:31 1998 +++ kdebase/kscreensaver/main.cpp Mon Feb 23 19:33:45 1998 @@ -206,6 +206,14 @@ int main( int argc, char *argv[] ) { + initPasswd(); + + if (getgid() != getegid()) + setegid(getgid()); + + if (geteuid() != getuid()) + seteuid(getuid()); + Window saveWin; int timeout = 600; ProgramName = argv[0]; #for kde beta 4: --- kdebase/kscreensaver/main.cpp.sec Sat Jan 10 01:13:31 1998 +++ kdebase/kscreensaver/main.cpp Mon Feb 23 19:33:45 1998 @@ -286,11 +294,6 @@ } i++; } - - initPasswd(); - // drop root privileges before we do anything important - setuid(getuid()); - if ( mode == MODE_INSTALL ) { #for kde beta 3: --- kdebase/kscreensaver/main.cpp.sec Sat Jan 10 01:13:31 1998 +++ kdebase/kscreensaver/main.cpp Mon Feb 23 19:33:45 1998 @@ -286,8 +294,6 @@ } i++; } - - initPasswd(); if ( mode == MODE_INSTALL ) { this is used by klock and all *.kss files. if you have PAM, kscreensaver need not be suid, the patch is a bit long (6K) so i will not post it here. Regards Luca -- Luca Berra -- blucaat_private System and Network Manager - CoMedia s.r.l.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:53:57 PDT