Re: Serious amd problems??

[okir () MONAD SWB DE (Olaf Kirch)]

[Disclaimer: I didn't discover this... I'm just responding to it]

I took a look at the code today.  It's the same problem that bit the
Linux mount daemon (I'm so glad I'm not the only stupid person on this
planet). It uses a logging function that happily sprintf's to a fixed
length string on the stack.

The fun part is that if you've tried to play it safe and compiled
amd with --disable-amq-mounts, you're vulnerable, because in
this case it logs (before performing any access checks):

        plog(XLOG_ERROR, "client tried to mount %s, but code is disabled",
                                the_path_specified_by_the_client)

If you've left amq mounts enabled, a similar message will be logged
at level XLOG_INFO, which goes to the bit bucket unless you've manually
increased log verbosity to info or more. However, anybody is able
to increase your log verbosity--no checking involved.

Redhat's bugzilla message (#4690) says the am-utils developers
recommend using 6.0.1s10.  Hope that release fixes all the other 192
strcpy/strcat/sprintfs there are in 6.0 as well.

Olaf

--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.