-----BEGIN PGP SIGNED MESSAGE----- Przemyslaw Frasunek writes: @@ -103,11 +103,11 @@ uint8 command[500]; struct stat statb; if (!stat(newname, &statb)) return(EEXIST); if (stat(oldname, &statb)) return(-1); else if (!S_ISDIR(statb.st_mode)) return(-1); - - sprintf(command, "mv %s %s 2>&1 >/dev/null" , oldname, newname); + snprintf(command, sizeof(command)-1, "mv %s %s 2>&1 >/dev/null" , oldname, newname); return(system(command)); } Without seeing the context, I can't say for sure, but this looks like a hole big enough to drive a truck through - calling system( ) with user-supplied arguments. If this code is running with superuser privileges and shell metacharacters haven't been removed very carefully, there's going to be a trivial exploit. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQB1AwUBN83eygUw3ir1nvhZAQGNzQL/cP/NqiAyq9Pmf5QhPCvSGdbE9LFukkZ+ bJDqmaiQ9l7P/GZcUT1wkEsvE+pS2HI+g6sKyqFzcMgpmov7ojX9oHtpfFdqgJdX djlXi5LI1PKS4/0jVcUBNQt6mInRyHHO =Jf2q -----END PGP SIGNATURE----- -- I don't | All messages will be PGP signed, | Fight for your right to speak for | encrypted mail preferred. Keys: | use sealed envelopes. the Uni. | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:23 PDT