wmcube-gdk is vulnerable to a local exploit

From: corecodeat_private
Date: Tue Dec 18 2001 - 05:54:34 PST

  • Next message: Tamer Sahin: "Aktivate Shopping System Cross Site Scripting Vulnerability" 

    >Submitter-Id:	current-users
>Originator:	corecode
>Organization:	
>Confidential:	no 
>Synopsis:	wmcube-gdk is vulnerable to a local exploit 
>Severity:	critical 
>Priority:	high 
>Category:	ports 
>Class:		sw-bug 
>Release:	FreeBSD 4.4-STABLE i386
>Environment:
System: FreeBSD elevation.zuhause.stoert.net 4.4-STABLE FreeBSD 4.4-STABLE #3: Thu Dec 13 16:08:02 CET 2001 corecodeat_private:/usr/obj/usr/src/sys/ELEVATION i386


	
>Description:
wmcube-gdk is vulnerable to a local exploit resulting in priority elevation (to gid kmem)

see: http://www.securityfocus.com/archive/1/246033

	
>How-To-Repeat:
make & install wmcube-gdk
	
>Fix:

there might still be some problems as i didn't have much time to audit the source code.
better than nothing

diff -ruN wmcube-gdk.old/Makefile wmcube-gdk/Makefile
--- wmcube-gdk.old/Makefile	Tue Dec  4 02:00:43 2001
+++ wmcube-gdk/Makefile	Tue Dec 18 14:41:39 2001
@@ -7,6 +7,7 @@
 
 PORTNAME=	wmcube
 PORTVERSION=	0.98p1
+PORTREVISION=	1
 CATEGORIES=	sysutils windowmaker
 MASTER_SITES=	http://www.ne.jp/asahi/linux/timecop/software/
 PKGNAMESUFFIX=	-gdk
diff -ruN wmcube-gdk.old/files/patch-wmcube.c wmcube-gdk/files/patch-wmcube.c
--- wmcube-gdk.old/files/patch-wmcube.c	Thu Aug 30 06:24:25 2001
+++ wmcube-gdk/files/patch-wmcube.c	Tue Dec 18 14:38:42 2001
@@ -1,10 +1,73 @@
---- wmcube.c.orig	Thu Aug 16 13:04:38 2001
-+++ wmcube.c	Thu Aug 16 13:05:00 2001
-@@ -38,7 +38,6 @@
- #include <math.h>
+--- wmcube.c.orig	Tue Aug 28 12:08:13 2001
++++ wmcube.c	Tue Dec 18 14:37:25 2001
+@@ -39,7 +39,6 @@
  
+ #ifdef LINUX
  /* forgotten includes */
 -#include <getopt.h>
  #include <dirent.h>
+ #endif
  
- #include <sys/wait.h>
+@@ -778,7 +777,7 @@
+ 	newx -= CHAR_WIDTH;
+     }
+ 
+-    sprintf(buf, "%02i%%", num);
++    snprintf(buf, 5, "%02i%%", num);
+     for (i = 0; (c = buf[i]); i++) {
+ 	if (c == '%')
+ 	    copy_xpm_area(60, 0, 7, 9, newx, y);
+@@ -1250,7 +1249,7 @@
+ 	exit(0);
+     }
+ 
+-    fscanf(fp, "%s", tmp);
++    fscanf(fp, "%63s", tmp);
+ 
+     if (strcmp(tmp, "WMCUBE_COORDINATES") != 0) {
+ 	printf
+@@ -1259,7 +1258,7 @@
+ 	exit(0);
+     }
+ 
+-    fscanf(fp, "%s", tmp);
++    fscanf(fp, "%63s", tmp);
+     counter = atoi(tmp);
+ 
+     while ((strcmp(tmp, "WMCUBE_LINES") != 0)
+@@ -1280,7 +1279,7 @@
+ 	    fclose(fp);
+ 	    exit(0);
+ 	}
+-	fscanf(fp, "%s", tmp);
++	fscanf(fp, "%63s", tmp);
+ 
+ 	if (feof(fp)) {
+ 	    printf
+@@ -1398,7 +1397,7 @@
+     char cpuid[6];
+     char check_cpu[6];
+ 
+-    sprintf(check_cpu, "cpu%d", which_cpu);
++    snprintf(check_cpu, 6, "cpu%d", which_cpu);
+ 
+     if ((fp = fopen("/proc/stat", "rb")) == NULL) {
+ 	perror("/proc/stat required for this system");
+@@ -1409,7 +1408,7 @@
+ 	return 0;
+ 
+     for (i = -2; i < which_cpu; i++) {
+-	fscanf(fp, "%s", cpuid);
++	fscanf(fp, "%5s", cpuid);
+     }
+ 
+     if (strcmp(check_cpu, cpuid) != 0) {
+@@ -1431,7 +1430,7 @@
+     fp = fopen("/proc/stat", "rt");
+ 
+     for (i = -2; i < which_cpu; i++) {
+-	fscanf(fp, "%s %d %d %d %d", cpuid, &cpu, &nice, &system, &idle);
++	fscanf(fp, "%5s %d %d %d %d", cpuid, &cpu, &nice, &system, &idle);
+     }
+ 
+     fclose(fp);

    This archive was generated by hypermail 2b30 : Tue Dec 18 2001 - 19:08:10 PST