slocate bug.

[Ehud Tenenbaum <analyzer () 2xss com>]

Hey,

Its a good time to announce that 2xs security LTD. decided to
create a research team in order to focus on finding new bugs,
further more we managed to develop a security tool to discover
bugs/security flaws. In the near future, the tool itself will became 
an open source project.

slocate (Secure locate) coming with the default installation in redhat
linux suid to slocate.

bash-2.05$ ls -al /usr/bin/slocate
-rwxr-sr-x    1 root     slocate     20880 dec 18  2000 /usr/bin/slocate

bash-2.05$ slocate -r `perl -e 'print "A" x 65026'`
Segmentation fault

bash-2.05$ slocate -r `perl -e 'print "A" x 65025'`
[...] no segfault [...]

We found non exploitble bug which pointed out by KoSak (Cabezon Aur?lien
aurelien.cabezon () isecurelabs com)

the segfault is due to a null pointer,
because regcomp() will return 0 when the buffer is bigger
than 65028 bytes -> then, regerr() will be called but the
programmer forgot to allocate his errbuf variable,
so it is called with errbuf=NULL. (See line 1193, main.c).

should anyone have questions or comments you can email us:

analyzer () 2xss com
izik () 2xss com
mixter () 2xss com


-- 
------------
Ehud Tenenbaum
C.T.O & Project Manager 
2xs LTD. 
Tel: 972-9-9519980
Fax: 972-9-9519982
E-Mail: ehud () 2xss com
------------ 
                                 Have A Safe Day