Bugtraq mailing list archives

Re: Linux /usr/bin/gnuplot overflow

From: speed () LINUX DPILINK COM (Speed)
Date: Thu, 4 Mar 1999 20:04:49 -0500


It is interesting to note that the gnuplot on my system is NOT suid root
(nor have I modified the default installed settings).  My version is 3.5
patchlevel 3.50.1.17 (i.e. very old).  The distribution is Slackware.

I agree with xnec in that I can see no good reason to make it suid root.
Anyone know why this was done?  Anytime a program is going to do this, a
full audit should be made - some people take the suid bit not seriously
enough.

Simply running strings against it should cause someone looking at that
output to feel a bit suspicious.

Granted, the suid bit might be placed by the distribution and not the
program's author.

Finally, thanks to xnec for providing BOTH the exploit and the fix which
is how it should be done on a full disclosure list.

- Speed_D

Current thread:

Re: Linux /usr/bin/gnuplot overflow Speed (Mar 04)
- Re: Linux /usr/bin/gnuplot overflow Rich Lafferty (Mar 05)
- <Possible follow-ups>
- Re: Linux /usr/bin/gnuplot overflow Marc SCHAEFER (Mar 06)
- Re: Linux /usr/bin/gnuplot overflow Marc Heuse (Mar 06)
- Re: Linux /usr/bin/gnuplot overflow Marc Heuse (Mar 08)