Re: Midnight Commander Multiple vulnerabilities

From: Pavel Tsekov <ptsekov gmx net>
To: Cleve Philippe <Philippe Cleve nbb be>
Cc: mc gnome org
Subject: Re: Midnight Commander Multiple vulnerabilities
Date: Thu, 7 Apr 2005 17:04:02 +0300

Hello,

On Thu, 7 Apr 2005, Cleve Philippe wrote:

Hi,

Searching information about Midnight Commander on the net, I've found
multiple documents saying:

"A vulnerability has been identified in Midnight Commander (mc), which
potentially can be exploited by malicious people to compromise a user's
system.

The vulnerability is caused due to a boundary error when handling
symlinks in compressed files. This can be exploited by constructing a
compressed file containing overly long, specially crafted symlinks. This
will cause a stack overflow when a user tries to view the content of the
malicious compressed file using mc.

The vulnerability has been confirmed in version 4.5.55 but should
reportedly affect versions 4.5.52 through 4.6.0."

Where are currently using mc 4.6.0 on Solaris 9.

What's the situation in our case?


Your version has this vulnerability.

Does any correction exist?


Yes. This vulnerability has been fixed in MC 4.6.1-pre2 and up.
You can download an unofficial release from
http://pavelsh.pp.ru/wiki/doku.php?id=mc-prerelease

or get MC from CVS (use the MC_4_6_1_PRE branch).

References:
- Midnight Commander Multiple vulnerabilities
  - From: Cleve Philippe

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]