Bugtraq mailing list archives

[linux-security] write(1) leak

From: dholland () EECS HARVARD EDU (David Holland)
Date: Mon, 20 Jan 1997 13:53:26 -0500

Some versions (the util-linux version, but not the netwrite or netkit
versions) of /usr/bin/write have a buffer overrun problem that is
almost certainly exploitable. Note that this gives access to the tty
group, but not (directly) root.

The fix is to change the two sprintfs to snprintfs. Patches have been
mailed to the maintainer.


I should note for the bugtraq audience (that message was intended for
linux-security only) that netbsd is affected, freebsd and openbsd are
not. At least the -current versions. YMMV.

Also it was brought to my attention that you can't actually perform
the buffer overrun because the overflow string gets checked against
utmp before it has a chance to overflow.

Sorry about the false alarm.

--
   - David A. Holland             |    VINO project home page:
     dholland () eecs harvard edu    | http://www.eecs.harvard.edu/vino

Current thread:

Re: Smashing the stack on a DEC Alpha, (continued)
- - - Re: Smashing the stack on a DEC Alpha Digital Dreamer (Jan 16)
    - Re: Smashing the stack on a DEC Alpha Julian Assange (Jan 16)
    - FreeBSD Security Advisory: SA-96:21 - talkd FreeBSD Security Officer (Jan 18)
    - Re: FreeBSD Security Advisory: SA-96:21 - talkd Theo de Raadt (Jan 20)
    - talkd problem Theo de Raadt (Jan 20)
    - Re: talkd problem David Holland (Jan 20)
    - Smashing the stack Zygo Blaxell (Jan 20)
    - Re: Smashing the stack David Holland (Jan 20)
    - Re: Smashing the stack Bill Sommerfeld (Jan 21)
    - [linux-security] write(1) leak David Holland (Jan 19)
    - [linux-security] write(1) leak David Holland (Jan 20)
- Irix: csetup hole Yuri Volobuev (Jan 06)