Bugtraq mailing list archives

Re: GNU/Linux 'info Buffer Overflow

From: Valdis.Kletnieks () vt edu
Date: Fri, 06 Aug 2004 16:05:47 -0400

On Fri, 06 Aug 2004 00:46:21 -0000, Josh Martin <skizzles () gmail com>  said:

Package: info
Version: 4.7-2.1
Severity: grave
Tags: security
Justification: user security hole

This buffer overflow is very trivial to leverage as there are several
bytes available (10-15+).  It may be possible that arbitary system calls
could be made though this hole. It is also possible to leverage this
from the command line using the --restore=FILENAME flag, and need not
have the program running.  Although it is not running as suid, or as a
daemon, in a case where info is being used as a public service, it may
be a security problem.


Well.. it may be a problem if you can convince root (or somebody else not
yourself) to go to an 'info' page and enter 'f' and 225 bytes and hit return,
or to convince root to run a 'info --restore=' command.  Barring that,
I'm failing to see how it's a "grave" severity - unless there's a way to leverage
it or social-engineer it that I'm missing, if this is "grave" then *every* bug that
results in a SIGSEGV is grave.....

Attachment: _bin
Description:

Current thread:

GNU/Linux 'info Buffer Overflow Josh Martin (Aug 06)
- Re: GNU/Linux 'info Buffer Overflow Valdis . Kletnieks (Aug 06)
- Re: GNU/Linux 'info Buffer Overflow Niels Bakker (Aug 06)
  - Re: GNU/Linux 'info Buffer Overflow Janusz A. Urbanowicz (Aug 07)
- Re: GNU/Linux 'info Buffer Overflow Roman Werpachowski (Aug 07)