Re: Linux GNOME exploit
- From: Yo Ric Dude <ricdude toad net>
- To: andersen xmission com
- CC: Elliot Lee <sopwith redhat com>, John Kodis <kodis jagunet com>, gnome-devel-list gnome org
- Subject: Re: Linux GNOME exploit
- Date: Tue, 28 Sep 1999 20:26:42 -0400
This would actually be an overflow exploit in esdlib.
Attached is a patch for your review. Many people
install x11amp setuid root for the real-time process
scheduling. It's conceivable that other audio apps
may be installed similarly.
* esdlib.c (esd_connect_tcpip): buffer overflow exploit plugged.
BugTraq's example was 80 bytes long, make the buffer bigger than
that, and actually check its size before doing the strncpy.
Index: esdlib.c
===================================================================
RCS file: /cvs/gnome/esound/esdlib.c,v
retrieving revision 1.63
diff -u -b -B -p -r1.63 esdlib.c
--- esdlib.c 1999/09/04 00:16:38 1.63
+++ esdlib.c 1999/09/29 00:10:03
@@ -425,7 +425,7 @@ esd_connect_tcpip(const char *host)
int socket_out = -1;
int curstate = 1;
char default_host[] = "0.0.0.0";
- char connect_host[64];
+ char connect_host[128] = "0.0.0.0";
int port = ESD_DEFAULT_PORT;
unsigned int host_div = 0;
@@ -437,6 +437,12 @@ esd_connect_tcpip(const char *host)
/* get host */
if ( host_div ) {
+ if ( host_div >= 128 ) {
+ fprintf( stderr, "ESPEAKER host name too long: \"%s\"!\n",
+ espeaker );
+ return -1;
+ }
+
strncpy( connect_host, espeaker, host_div );
connect_host[ host_div ] = '\0';
} else {
> > If the problem exists at all, it's a Mandrake-specific packaging error,
> > not anything to do with GNOME. nethack is not part of Red Hat Linux, does
> > not use GNOME or esound, and is not installed s[ug]id root in the
> > powertools package.
> >
>
> Gnomehack does use gnomelibs. Never tried Gnomehack, Elliot? Shame on
> you. :) Anyway, it should be setgid games (to give it permission to
> write high scores in /var/lib/games/gnomehack per the ancient nethack
> way of doing things). If it is setgid root, that is somebody elses
> fault, not mine. The way I put gnomehack together, the worst that could
> happen on a buffer overflow would be that somebody gets to fake a high
> score.
-- ebm
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
| __ a.k.a. Eric B. Mitchell |
| |_) . _ _| _| _ ricdude@toad.net |
| | \ ( (_ (_| (_| (_| (/_ www.toad.net/~ricdude |
| How's My Programming? Call: 1 - 800 - DEV - NULL |
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]