Bugtraq mailing list archives
dip-3.3.7o security hole
From: ggajic () AFRODITA RCUB BG AC YU (Goran Gajic)
Date: Tue, 5 May 1998 13:28:21 +0200
Hi, There is potencial security hole in dip-3.3.7o which is installed suid root in Slackware 3.4 distribution (if selected). Just try this: ~> dip -k -l `perl -e 'print "a" x 2000'` and you will get something like: DIP: cannot open /var/lock/LCK..aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaa:No such file or directory Segmentation fault If you look dip source, main.c, or do strace, you will find that problem is with sprintf, line 192: sprintf(buf, "%s/LCK..%s", _PATH_LOCKD, nam); Here is obvious patch: --- main.c Tue Feb 13 03:03:35 1996 +++ main.c Mon May 4 23:36:49 1998 @@ -189,7 +189,7 @@ return; } - sprintf(buf, "%s/LCK..%s", _PATH_LOCKD, nam); + snprintf(buf, sizeof(buf), "%s/LCK..%s", _PATH_LOCKD, nam); fp = fopen(buf, "r"); if (fp == (FILE *)0) { Or chmod -s dip. Goran Gajic
Current thread:
- Lynx's 2.8 buffer overflow Michal Zalewski (May 03)
- [MORE] Lynx's 2.x buffers overflows Efrain Torres - Estudiante General (May 03)
- dip-3.3.7o security hole Goran Gajic (May 05)