xnecat_private writes: > greetings, > > INFO: > > There is a local root comprimise in /usr/bin/gnuplot version Linux version 3.5 > (pre 3.6) patchlevel beta 336. gnuplot is shipped to install suidroot on > SuSE 5.2 and maybe others. The exploit starts as a simple $HOME buffer > overflow, but much like zgv holes in the past, it drops root privs before the > overflow occurs. However, as Nergal describes at > http://www.geek-girl.com/bugtraq/1998_4/0148.html, svgalib needs write access > to /dev/mem, and we can therefore regain root privs by overwriting our uid. > > the offending code appears in plot.c where we see: > > char home[80]; > ... > char *tmp_home=getenv(HOME); > ... > strcpy(home,tmp_home); This particular piece of code has been changed before the release of gnuplot release 3.7 to use a "safe" version of strncpy(). We recommend that all vendors shipping obsolete beta versions of gnuplot upgrade. > Since I can see absolutely no reason for gnuplot to be suidroot, the best > fix is chmod -s /usr/bin/gnuplot. It is my understanding that gnuplot requires root privileges so that SVGAlib can access the gfx board. Other than that, there is no reason for making it suid, and I'd rather prefer a better solution. > void main(int argc, char *argv[]) { ^^^^ Yeuch! -- As Zeus said to Narcissus, "Watch yourself."
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:05 PDT