[1546] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Security hole in Elm...

daemon@ATHENA.MIT.EDU (Marcin Bohosiewicz)
Thu May 15 02:16:11 1997

Date: Wed, 14 May 1997 16:58:06 +0200 (MET DST)
From: Marcin Bohosiewicz <marcus@venus.wis.pk.edu.pl>
To: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com


>---------- Forwarded message ----------
>Date: Tue, 13 May 1997 21:18:33 +0200
>From: Wojciech Swieboda <wojtek@ajax.umcs.lublin.pl>
>To: BUGTRAQ@NETSPACE.ORG
>
>Hello,
>        I've lately found an overflow vulnerability in Elm (Elm is setgid
>mail on linux, and perhaps on some other platforms aswell). I've tested
>this bug on versions 2.3 and 2.4, on 3 different Linux installations.
>from Elm 2.3's curses.c:
>[...]
>        char termname[40];
>        char *strcpy(), *getenv();
>
>        if (getenv("TERM") == NULL) return(-1);
>
>        if (strcpy(termname, getenv("TERM")) == NULL)
>                return(-1);
>[...]
>to patch, change the strcpy line to
>        if (strncpy(termname, getenv("TERM"), sizeof(termname)) == NULL)
>
>lame exploit for linux included below (works from time to time):
[exploit was here]

Elm without this bug is now available from:
ftp://venus.wis.pk.edu.pl/pub/RPMS/elm-2.4.25-8.i386.rpm
ftp://venus.wis.pk.edu.pl/pub/SRPMS/elm-2.4.25-8.src.rpm

M.

-| == Marcin Bohosiewicz            marcus@venus.wis.pk.edu.pl == |-
-| == tel. +048 (0-12) 37-44-99     marcus@krakow.linux.org.pl == |-
-| == Strona Domowa    -    http://venus.wis.pk.edu.pl/marcus/ == |-


home help back first fref pref prev next nref lref last post