On Fri, Aug 28, 1998 at 03:53:07AM +0100, Alan Cox wrote: > Expect similar announces from other Linux vendors to follow this one. The > bug is in code that as far as I can tell in Linux specific portmap code > so this is unlikely to affect non Linux portmappers. I'll post an explanation > once the other vendor announcements are out. i've looked through the code... I assume that everyone interested in this with a bit of C and english knowledge should be able to find out, by looking at the diffs, where in the code the mentioned problems are located and of what kind they are. To understand the following, look at the diff from the new source rpm. currently i see no way to exploit this in the way the nfs package is shipped with redhat linux(as far as i can see from the source rpm) unless the nfs or mountd get a SIGUSR1 (kill -10) signal while running. the only messages that still get logged without this are: L_WARNING L_FATAL L_ERROR. CALL_PROFILING isn't defined by default so i didn't look through what would happen if it were defined. i looked through every call to Dprintf that reaches the vulnerable code parts and found nothing dangerous(hope i didn't miss something) just as a sidenote: if CALL_PROFILING were defined we would encounter this nice goodie: nfs_dispatch.c:#define PATH_PROFILE "/tmp/nfsd.profile" (bad idea for a default) WANT_LOG_MOUNTS isn't defined by default, i didn't look through what happens when defined. i hope i didn't miss anything.. if i did, please correct me! i guess, from what i've seen, people using the binary supplied by redhat and which didn't toy around with signal's are safe from this. Ah yes, _maybe_ there's a problem when logging stuff with path's > 1024... didn't look further into it. shouldn't make problems unless the attacker gets writeable access to your filesystem... (maybe if you have a very long directory structure on your sys this could result in a DoS attack without write access.. but.. who has that big paths, and who cares?) bye, paul -- [ Paul S. Boehm | paulat_private | http://paul.boehm.org/ | infected@irc ] Money is what gives a programmer his resources. It's an exchange system created by human beings. It surrounds us. Works for us, binds the economy together.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:58 PDT