[1546] in linux-security and linux-alert archive
[linux-security] Security hole in Elm...
daemon@ATHENA.MIT.EDU (Marcin Bohosiewicz)
Thu May 15 02:16:11 1997
Date: Wed, 14 May 1997 16:58:06 +0200 (MET DST)
From: Marcin Bohosiewicz <marcus@venus.wis.pk.edu.pl>
To: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
>---------- Forwarded message ----------
>Date: Tue, 13 May 1997 21:18:33 +0200
>From: Wojciech Swieboda <wojtek@ajax.umcs.lublin.pl>
>To: BUGTRAQ@NETSPACE.ORG
>
>Hello,
> I've lately found an overflow vulnerability in Elm (Elm is setgid
>mail on linux, and perhaps on some other platforms aswell). I've tested
>this bug on versions 2.3 and 2.4, on 3 different Linux installations.
>from Elm 2.3's curses.c:
>[...]
> char termname[40];
> char *strcpy(), *getenv();
>
> if (getenv("TERM") == NULL) return(-1);
>
> if (strcpy(termname, getenv("TERM")) == NULL)
> return(-1);
>[...]
>to patch, change the strcpy line to
> if (strncpy(termname, getenv("TERM"), sizeof(termname)) == NULL)
>
>lame exploit for linux included below (works from time to time):
[exploit was here]
Elm without this bug is now available from:
ftp://venus.wis.pk.edu.pl/pub/RPMS/elm-2.4.25-8.i386.rpm
ftp://venus.wis.pk.edu.pl/pub/SRPMS/elm-2.4.25-8.src.rpm
M.
-| == Marcin Bohosiewicz marcus@venus.wis.pk.edu.pl == |-
-| == tel. +048 (0-12) 37-44-99 marcus@krakow.linux.org.pl == |-
-| == Strona Domowa - http://venus.wis.pk.edu.pl/marcus/ == |-