On 23 February I send to bugtraq a comment about this problem (ignored by aleph1 ? hehe :) http://www.nearz.org/new/lynx/text/1999/FEB-Pathnames On Fri, 30 Apr 1999, Sergey V. Kolychev wrote: > Hi. > > I had problem with locate from findutils-4.1.24.rpm from Redhat-5.1 > It segfaults if we have huge directory at incoming ftp which created > by exploits for ftpd realpath hole. My ftpd is patched. Those exploits > ,i think, should not afraid me, but if updatedb puts to locate database > that directory then locate segfaults. ( getline.c 104 row by gdb ) > I guess it can be used for running arbitrary commands if root runs locate. > > I had look to latest Redhat-6.0 findutils-4.1.31.rpm but it still > based on findutils-4.1 as well as findutils-4.1.24 and haven't any > patches from redhat concerning subject and I am sure it stiil vulnerable. > > > ----------------------Alchevsk Linux User Group----------------------- > I don't call, I don't cry , I don't sorry. > All will gone like a white appletreeses's smoke... (S.Esenin) > http://www.ic.al.lg.ua/~ksv | e-mail: ksvat_private > PGP key & Geekcode: finger ksvat_private >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:44:39 PDT