[2082] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] [Fwd: SVGATextMode 1.8 /tmp race]

daemon@ATHENA.MIT.EDU (Thomas Walter)
Thu Oct 22 10:02:14 1998

Date: Thu, 22 Oct 1998 11:41:17 +0200
From: Thomas Walter <tw@mail.itreff.de>
To: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

Just got this on bugtraq...
     Balu

-------- Original Message --------
Subject: SVGATextMode 1.8 /tmp race
Date: Thu, 21 Oct 1999 23:01:34 +0300
From: Adrian Voinea <root@DEATH.GDS.RO>
Reply-To: Adrian Voinea <root@DEATH.GDS.RO>
To: BUGTRAQ@NETSPACE.ORG

Hello,
savetextmode, a utility that comes with SVGATextMode 1.8, saves the text
mode data in /tmp, in two files with the mode 644:

[/tmp]
root@Death# ls -lA
total 1
drwxrwxrwx   2 root     gods         1024 Sep 24  1998 .X11-unix/

[/tmp]
root@Death# savetextmode
svgalib: Using S3 driver (Trio64, 4096K).
svgalib: s3: chipsets newer than S3-864 is not supported well yet.
svgalib: RAMDAC: Trio64: MCLK = 47.131 MHz

[/tmp]
root@Death# ls -lA
total 35
drwxrwxrwx   2 root     gods         1024 Sep 24  1998 .X11-unix/
-rw-r--r--   1 root     gods        32768 Oct 21 22:56 fontdata
-rw-r--r--   1 root     gods          385 Oct 21 22:56 textregs

Also, I would like to add that savetextmode accepts no parameters.


[mod: The rest of this message is completely bogus: SVGATextMode has
NOTHING whatsoever to do with "savetextmode", which comes from the
svgalib package.... -- REW]

So... any user on the system that knows that the root is using
SVGATextMode could link any of the files to a file that he wants to be
overwritten.
The e-mail is cc-ed to the maker of SVGATextMode,
koen.gadeyne@barco.com.

.=-=-=-=-=-=-=-=-=.=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=.
| Adrian Voinea   |When I Die, I want to go like my grandfather did,  |
|   adi@gds.ro    |peacefully in his sleep. Not yelling and screaming,|
|TEL:+40 51 412146|like all the passengers in his car! .=-=-=-=-=-=-=-'
`=-=-=-=-=-=-=-=-='=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post