arkth wrote: > > While few days ago there was discussion about bash overflow on bugtraq i > found another overflow in tcsh-6.07.09-1 [ rh 5.2 ]. > The problem is in too long $HOME evironment variable [ very old thing - > zgv overflow ]. I don't know if it's a dangerous problem, but like someone > said this shell can be used in some kind of script with SUID, etc. > >From the tcsh changelog: 93. V6.07.12 - 19980918 90. Avoid buffer overflows in directory code (kim) Looks like the fault you found was fixed in 6.07.12 However, I tried the "exploit" given using tcsh 6.08.04, and found that tcsh still crashes, but this time with a SIGABRT rather than SIGSEGV. Checking in the source shows: /* * kim: if the path given is too long abort(). */ if (Strlen(cp) >= MAXPATHLEN) abort(); i.e. this behaviour is hard coded in deliberately. This is the stacktrace from GDB: (gdb) bt #0 0x40097781 in __kill () #1 0x400975af in raise (sig=6) at ../sysdeps/posix/raise.c:27 #2 0x400987bf in abort () at ../sysdeps/generic/abort.c:83 #3 0x804db5b in dcanon (cp=0x80aa808, p=0x80aa808) at sh.dir.c:829 #4 0x80553f5 in dosetenv (v=0x80b2a08, c=0x80b3fc8) at sh.func.c:1402 #5 0x8053c3e in func (t=0x80b3fc8, bp=0x80815d0) at sh.func.c:141 #6 0x805f677 in execute (t=0x80b3fc8, wanttty=22898, pipein=0x0, pipeout=0x0) at sh.sem.c:642 #7 0x805f831 in execute (t=0x80b3fa8, wanttty=22898, pipein=0x0, pipeout=0x0) at sh.sem.c:719 #8 0x804c1ac in process (catch=1) at sh.c:2094 #9 0x804b440 in main (argc=0, argv=0xbffff568) at sh.c:1312 Phil
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:46:33 PDT