Vulnerability Development mailing list archives

Re: artsd overflow

From: <castongj () killjoy student umd edu>
Date: Thu, 3 Jan 2002 23:51:24 -0500 (EST)

On Fri, 4 Jan 2002, Fuska wrote:

-----BEGIN PGP SIGNED MESSAGE-----


? Happy new year.

? Take a look at this:

r00t:~$ ls -las `which artswrapper` `which artsd`
4 -rwsr-xr-x ? ?1 root ? ? root ? ? 4048 Dec 28 22:43 /usr/bin/artswrapper*
120 -rwxr-xr-x ?1 root ? ? root ? 117644 Dec 28 22:43 /usr/bin/artsd*


r00t:~$ artsd -m `perl -e 'print "A"x3000'`
Segmentation fault


I've found the same thing before, its a bug in artsd. I get the same thing
on Slackware 8/current.

artswrapper drops permissions before getting to this

in arts-0.6.0/arts/soundserver/artswrapper.c (nonrelated bits removed)

        /* drop root privileges if running setuid root
           (due to realtime priority stuff) */
        if (geteuid() != getuid())
        {
                setreuid(-1, getuid());
        }

        if(argc == 0)
                return 1;
        argv[0] = EXECUTE;
        execv(EXECUTE,argv);
        perror(EXECUTE);
        return 1;
}

-- 
Jason Castonguay

Current thread:

artsd overflow Fuska (Jan 03)
- Re: artsd overflow Charles 'core' Stevenson (Jan 04)
- Re: artsd overflow castongj (Jan 04)
- Re: artsd overflow H D Moore (Jan 04)