[Disclaimer: I didn't discover this... I'm just responding to it]
I took a look at the code today. It's the same problem that bit the
Linux mount daemon (I'm so glad I'm not the only stupid person on this
planet). It uses a logging function that happily sprintf's to a fixed
length string on the stack.
The fun part is that if you've tried to play it safe and compiled
amd with --disable-amq-mounts, you're vulnerable, because in
this case it logs (before performing any access checks):
plog(XLOG_ERROR, "client tried to mount %s, but code is disabled",
the_path_specified_by_the_client)
If you've left amq mounts enabled, a similar message will be logged
at level XLOG_INFO, which goes to the bit bucket unless you've manually
increased log verbosity to info or more. However, anybody is able
to increase your log verbosity--no checking involved.
Redhat's bugzilla message (#4690) says the am-utils developers
recommend using 6.0.1s10. Hope that release fixes all the other 192
strcpy/strcat/sprintfs there are in 6.0 as well.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okirat_private | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okirat_private +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:03 PDT