Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

wmcube-gdk is vulnerable to a local exploit

From: "corecode () corecode ath cx" <corecode () corecode ath cx>
Date: Tue, 18 Dec 2001 14:54:34 +0100 (CET)


Submitter-Id:  current-users
Originator:    corecode
Organization:  
Confidential:  no 
Synopsis:      wmcube-gdk is vulnerable to a local exploit 
Severity:      critical 
Priority:      high 
Category:      ports 
Class:         sw-bug 
Release:       FreeBSD 4.4-STABLE i386
Environment:

System: FreeBSD elevation.zuhause.stoert.net 4.4-STABLE FreeBSD 4.4-STABLE #3: Thu Dec 13 16:08:02 CET 2001 corecode () 
elevation zuhause stoert net:/usr/obj/usr/src/sys/ELEVATION i386


        

Description:

wmcube-gdk is vulnerable to a local exploit resulting in priority elevation (to gid kmem)

see: http://www.securityfocus.com/archive/1/246033

        

How-To-Repeat:

make & install wmcube-gdk
        

Fix:


there might still be some problems as i didn't have much time to audit the source code.
better than nothing

diff -ruN wmcube-gdk.old/Makefile wmcube-gdk/Makefile
--- wmcube-gdk.old/Makefile     Tue Dec  4 02:00:43 2001
+++ wmcube-gdk/Makefile Tue Dec 18 14:41:39 2001
@@ -7,6 +7,7 @@
 
 PORTNAME=      wmcube
 PORTVERSION=   0.98p1
+PORTREVISION=  1
 CATEGORIES=    sysutils windowmaker
 MASTER_SITES=  http://www.ne.jp/asahi/linux/timecop/software/
 PKGNAMESUFFIX= -gdk
diff -ruN wmcube-gdk.old/files/patch-wmcube.c wmcube-gdk/files/patch-wmcube.c
--- wmcube-gdk.old/files/patch-wmcube.c Thu Aug 30 06:24:25 2001
+++ wmcube-gdk/files/patch-wmcube.c     Tue Dec 18 14:38:42 2001
@@ -1,10 +1,73 @@
---- wmcube.c.orig      Thu Aug 16 13:04:38 2001
-+++ wmcube.c   Thu Aug 16 13:05:00 2001
-@@ -38,7 +38,6 @@
- #include <math.h>
+--- wmcube.c.orig      Tue Aug 28 12:08:13 2001
++++ wmcube.c   Tue Dec 18 14:37:25 2001
+@@ -39,7 +39,6 @@
  
+ #ifdef LINUX
  /* forgotten includes */
 -#include <getopt.h>
  #include <dirent.h>
+ #endif
  
- #include <sys/wait.h>
+@@ -778,7 +777,7 @@
+       newx -= CHAR_WIDTH;
+     }
+ 
+-    sprintf(buf, "%02i%%", num);
++    snprintf(buf, 5, "%02i%%", num);
+     for (i = 0; (c = buf[i]); i++) {
+       if (c == '%')
+           copy_xpm_area(60, 0, 7, 9, newx, y);
+@@ -1250,7 +1249,7 @@
+       exit(0);
+     }
+ 
+-    fscanf(fp, "%s", tmp);
++    fscanf(fp, "%63s", tmp);
+ 
+     if (strcmp(tmp, "WMCUBE_COORDINATES") != 0) {
+       printf
+@@ -1259,7 +1258,7 @@
+       exit(0);
+     }
+ 
+-    fscanf(fp, "%s", tmp);
++    fscanf(fp, "%63s", tmp);
+     counter = atoi(tmp);
+ 
+     while ((strcmp(tmp, "WMCUBE_LINES") != 0)
+@@ -1280,7 +1279,7 @@
+           fclose(fp);
+           exit(0);
+       }
+-      fscanf(fp, "%s", tmp);
++      fscanf(fp, "%63s", tmp);
+ 
+       if (feof(fp)) {
+           printf
+@@ -1398,7 +1397,7 @@
+     char cpuid[6];
+     char check_cpu[6];
+ 
+-    sprintf(check_cpu, "cpu%d", which_cpu);
++    snprintf(check_cpu, 6, "cpu%d", which_cpu);
+ 
+     if ((fp = fopen("/proc/stat", "rb")) == NULL) {
+       perror("/proc/stat required for this system");
+@@ -1409,7 +1408,7 @@
+       return 0;
+ 
+     for (i = -2; i < which_cpu; i++) {
+-      fscanf(fp, "%s", cpuid);
++      fscanf(fp, "%5s", cpuid);
+     }
+ 
+     if (strcmp(check_cpu, cpuid) != 0) {
+@@ -1431,7 +1430,7 @@
+     fp = fopen("/proc/stat", "rt");
+ 
+     for (i = -2; i < which_cpu; i++) {
+-      fscanf(fp, "%s %d %d %d %d", cpuid, &cpu, &nice, &system, &idle);
++      fscanf(fp, "%5s %d %d %d %d", cpuid, &cpu, &nice, &system, &idle);
+     }
+ 
+     fclose(fp);
Previous By Date Next
Previous By Thread Next

Current thread: