Hiyas, If you send SIGHUP to xinetd, you get a dump file to /tmp/xinetd.dump, but this method isn't checked against /tmp, and it happily overwrites anything in the place of that file. The package has been released in 1997, IMHO this is too old to have a bug of this kind hidden. BTW here's the patch: diff -ruN xinetd-2.2.1.orig/xinetd/internals.c xinetd-2.2.1/xinetd/internals.c --- xinetd-2.2.1.orig/xinetd/internals.c Sun Nov 8 13:28:00 1998 +++ xinetd-2.2.1/xinetd/internals.c Sun Nov 8 13:27:33 1998 @@ -55,7 +55,14 @@ register int fd ; register unsigned u ; char *func = "dump_internal_state" ; + struct stat sb; + if (!(stat(dump_file, &sb)==-1&&errno==ENOENT)&&(!S_ISREG(sb.st_mode)||sb.st_nlink>1)) + { + msg( LOG_ERR, func, "failed to open %s: maybe a vulnerable link", dump_file ) ; + return ; + } + dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_APPEND, DUMP_FILE_MODE ) ; if ( dump_fd == -1 ) { -- Linux Supporting Center -- Red Hat Qmail packages -- http://lsc.kva.hu PGP 0x1DE3631D / A8 B4 92 EE 1F 55 27 C8 86 64 9C 42 41 A4 BD B8
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:48 PDT