[1396] in linux-security and linux-alert archive
[linux-security] write(1) leak
daemon@ATHENA.MIT.EDU (David Holland)
Sun Jan 19 11:39:48 1997
From: David Holland <dholland@eecs.harvard.edu>
To: linux-security@redhat.com
Date: Sun, 19 Jan 1997 02:29:06 -0500 (EST)
Cc: dholland@burgundy.eecs.harvard.edu (David Holland)
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
Some versions (the util-linux version, but not the netwrite or netkit
versions) of /usr/bin/write have a buffer overrun problem that is
almost certainly exploitable. Note that this gives access to the tty
group, but not (directly) root.
The fix is to change the two sprintfs to snprintfs. Patches have been
mailed to the maintainer.
--
- David A. Holland | VINO project home page:
dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino