[Disclaimer: I didn't discover this... I'm just responding to it] I took a look at the code today. It's the same problem that bit the Linux mount daemon (I'm so glad I'm not the only stupid person on this planet). It uses a logging function that happily sprintf's to a fixed length string on the stack. The fun part is that if you've tried to play it safe and compiled amd with --disable-amq-mounts, you're vulnerable, because in this case it logs (before performing any access checks): plog(XLOG_ERROR, "client tried to mount %s, but code is disabled", the_path_specified_by_the_client) If you've left amq mounts enabled, a similar message will be logged at level XLOG_INFO, which goes to the bit bucket unless you've manually increased log verbosity to info or more. However, anybody is able to increase your log verbosity--no checking involved. Redhat's bugzilla message (#4690) says the am-utils developers recommend using 6.0.1s10. Hope that release fixes all the other 192 strcpy/strcat/sprintfs there are in 6.0 as well. Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okirat_private | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okirat_private +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:03 PDT