[542] in linux-security and linux-alert archive
Re: rxvt security hole
daemon@ATHENA.MIT.EDU (Marc Ewing)
Tue Jan 2 16:39:27 1996
To: linux-security@tarsier.cv.nrao.edu
cc: bugtraq@crimelab.com, nation@rocket.sanders.lockheed.com
In-reply-to: <ckuEBo_00iWY00k1kO@andrew.cmu.edu> from
owner-linux-security@tarsier.cv.nrao.edu on Tue, 02 Jan 1996 05:05:40 EST.
Date: Tue, 02 Jan 1996 14:14:35 -0500
From: Marc Ewing <marc@redhat.com>
Can anyone tell me if the appended patch does what is needed here? It
seems to work (ie, the exploit code results in a suid `marc' shell when
I run it). If so, I'll make a new rpm (this is for Red Hat 2.X) and
post an announcement here and to the redhat-list.
Thanks,
Marc
--
--- rxvt/command.c.marc Tue Jan 2 14:00:59 1996
+++ rxvt/command.c Tue Jan 2 14:08:28 1996
@@ -1350,8 +1350,19 @@
char rev_escape_seq [4] = "i4[\033";
int index = 0;
FILE *pipe_file;
+ uid_t saved_uid;
+ gid_t saved_gid;
+
+ saved_uid = geteuid();
+ saved_gid = getegid();
+ seteuid(getuid());
+ setegid(getgid());
pipe_file = popen (print_pipe, "w");
+
+ seteuid(saved_uid);
+ setegid(saved_gid);
+
if (pipe_file == NULL)
{
fprintf (stderr, "rxvt: can't open printer pipe!\n");
--- rxvt/screen.c.marc Tue Jan 2 14:01:05 1996
+++ rxvt/screen.c Tue Jan 2 14:08:35 1996
@@ -2164,8 +2164,19 @@
char *pl;
FILE *pipe_file;
int i,lim,ll;
+ uid_t saved_uid;
+ gid_t saved_gid;
+
+ saved_uid = geteuid();
+ saved_gid = getegid();
+ seteuid(getuid());
+ setegid(getgid());
pipe_file = popen(print_pipe,"w");
+
+ seteuid(saved_uid);
+ setegid(saved_gid);
+
if (pipe_file == NULL)
{
fprintf(stderr, "rxvt: can't open printer pipe!\n");
