Security audit result: gnome-pty-helper

From: Chris Evans <chris ferret lmh ox ac uk>
To: Miguel de Icaza <miguel nuclecu unam mx>
cc: gnome-list gnome org, security-audit ferret lmh ox ac uk
Subject: Security audit result: gnome-pty-helper
Date: Mon, 22 Feb 1999 21:48:52 +0000 (GMT)


Hi,

I had a look at gnome-pty-helper. Here are the issues I found. They are
probably minor. The first one is a bit of a howler though! Note that this
isn't a thorough audit, just a quick glance. More pairs of eyes are
welcome.

I haven't made a patch; the suggested changes are trivial. Tell me what
you think and if these changes will be applied. I think I can justify them
all ;-)

One more thing, a packaging issue. "gnome-pty-helper" is sgid root as well
as suid-root. I would suggest only the latter is neccessary.

Cheers
Chris

1) When checking for STDOUT being open, we check fcntl(0,...) not
fcntl(1,...), oops!

2) open_ptys - return value for alloca() not checked for NULL (oh -
openpty() seems to check this but still..)

3) openpty() [in gnome-login-support] - if group ownership can't be
changed to group "tty" then we shouldn't make the pty group writeable. 2
occurences. I can envisage a condition where this causes a problem.

4) pty_add() - check for pi == NULL should come _before_ memset()!

5) pty_add() - does not check return code of strdup() for NULL?

6) update_dbs() - malloc return not checked for NULL

7) update_dbs() - after strncpy() of user supplied display_name we don't
NULL-terminate the ut_host field!

Follow-Ups:
- Re: Security audit result: gnome-pty-helper
  - From: Miguel de Icaza
- Re: Security audit result: gnome-pty-helper
  - From: Miguel de Icaza

References:
- Re: GMC in GNOME-0.99.8: report and bugs
  - From: Miguel de Icaza

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]