Re: RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch.

[rexolab <research () rexotec com>]

We are very serious in this matter as we already have discoused with you. We don't see why do  you think we are joking ?
We have found this vulnerability there's already eighteen month but we have find it in 15-4 release of cscope.
The 15-5 version has the same problem....


Release date of advisory's publication is looking only at us.....

About the patch, sorry, we made a mistake in sending you a wrong one, and now we are sending you the right one :

8<-------------------cut--here--------------------------------------------

diff -Naurp src_old/build.c src_new/build.c
--- src_old/build.c     2004-11-18 16:27:04.000000000 +0100
+++ src_new/build.c     2004-11-18 16:27:29.000000000 +0100
@@ -333,7 +333,7 @@ build(void)
                (void) fprintf(stderr, "cscope: cannot open file %s\n", reffile);
                myexit(1);
        }
-       if (invertedindex == YES && (postings = myfopen(temp1, "wb")) == NULL) {
+       if (invertedindex == YES && (postings = myfopen(temp1, "w+xb")) == NULL) {
                cannotwrite(temp1);
                cannotindex();
        }
diff -Naurp src_old/display.c src_new/display.c
--- src_old/display.c   2004-11-18 16:27:04.000000000 +0100
+++ src_new/display.c   2004-11-18 16:27:29.000000000 +0100
@@ -431,7 +431,7 @@ search(void)
                        findresult = (*f)(pattern);
                }
                else {
-                       if ((nonglobalrefs = myfopen(temp2, "wb")) == NULL) {
+                       if ((nonglobalrefs = myfopen(temp2, "w+xb")) == NULL) {
                                cannotopen(temp2);
                                return(NO);
                        }
@@ -754,13 +754,13 @@ BOOL
 writerefsfound(void)
 {
        if (refsfound == NULL) {
-               if ((refsfound = myfopen(temp1, "wb")) == NULL) {
+               if ((refsfound = myfopen(temp1, "w+xb")) == NULL) {
                        cannotopen(temp1);
                        return(NO);
                }
        } else {
                (void) fclose(refsfound);
-               if ( (refsfound = myfopen(temp1, "wb")) == NULL) {
+               if ( (refsfound = myfopen(temp1, "w+xb")) == NULL) {
                        postmsg("Cannot reopen temporary file");
                        return(NO);
                }

8<----------------------------------------------cut-here-----------------------------------

enjoy,

Mr Gangstuck & associates......


---
On Thu, 18 Nov 2004 12:42:33 +0100 (CET)
Hans-Bernhard Broeker <broeker () physik rwth-aachen de> wrote:

> On Thu, 18 Nov 2004, rexolab wrote:
>
> >    VulnDiscovery:   2003/05/21
> >    Release Date :   2004/11/17
>
> Surely you're joking, Mr. Gangstuck.  You can't seriously be telling us
> you sat on this for no less than 18 months, without telling anybody about
> it.
>
> Actually, I somewhat doubt you even discovered this yourself --- what with
> this very bug having been posted to cscope's bugtracker on 2004-11-09.
>
> >    Status       :   vendor has just been notified.
>
> Actually, we've been notified 11 days ago, and apparently not by you.
>
> >    First, the temporary directory (P_tmpdir="/tmp") is badly handled 
> >    in every myfopen() internal call.
>
> [... there doesn't seem to be a "second", to that first...]
>
> Anyway, you're right, the vulnerability is there.  Unfortunately your
> patch is not quite sufficient to close it, because you overlooked 
> that temp2, one of the two predictable filenames, is also used to
> construct an output redirection for a shell command run by cscope.
>
> -- 
> Hans-Bernhard Broeker (broeker () physik rwth-aachen de)
> Even if all the snow were burnt, ashes would remain.
>
>
>
> --
> Ce message ne contient pas de virus connu.
> neoDomaine Postmaster - http://www.neodomaine.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html