Re: CVE request: lynx (old) .mailcap handling flaw

[Tavis Ormandy <taviso () sdf lonestar org>]

On Tue, Oct 28, 2008 at 10:38:43AM +0100, Tomas Hoger wrote:
> 2) Local social engineering attack - local attacker convinces victim to
> run lynx in some specially crafted local directory.
>
> For valgrind, 1) does not seem to make much sense (or is lot less
> likely), as if you valgrind random binary downloaded form the net,
> you're already running attacker's code.

Well obviously. The attack would be convincing someone to debug an
application with a testcase provided in a tarball, or to debug something
in a specific directory.

If you just dumped one in /tmp on a system I use and waited a few weeks,
there's a strong possibility you would pwn me.

> Actually, gdb may be another target with its handling of .gdbinit:
>
>    echo 'shell /usr/bin/id' > .gdbinit ; gdb
>
> (gdb seems to have some checks in place though and refuses to open files
> that world-writable or not owned by the user)

Of course, guess who reported that ;-) (me).

The patch to make those checks was provided by me. I'm suggesting
valgrind should do the same thing.

Thanks, Tavis.

-- 
-------------------------------------
taviso () sdf lonestar org | finger me for my gpg key.
-------------------------------------------------------