[11733] in bugtraq
Re: FreeBSD (and other BSDs?) local root explot
daemon@ATHENA.MIT.EDU (Charles M. Hannum)
Wed Sep 8 05:48:14 1999
Message-Id: <199909031606.MAA06703@bikini.ihack.net>
Date: Fri, 3 Sep 1999 12:06:15 -0400
Reply-To: "Charles M. Hannum" <root@IHACK.NET>
From: "Charles M. Hannum" <root@IHACK.NET>
X-To: Stas Kisel <stas@SONET.CRIMEA.UA>
To: BUGTRAQ@SECURITYFOCUS.COM
As of yesterday, the OpenBSD version of fts.c was still susceptible to
at least two bugs that can cause a core dump when FTS_NOCHDIR is used
(e.g. by pax(1)). Beware if you do backups with pax(1)!
These problems, and others, are fixed in the current NetBSD version.
revision 1.20
date: 1999/08/27 18:01:35; author: mycroft; state: Exp; lines: +16 -10
Fix multiple problems in the FTS_NOCHDIR case:
* There was an off-by-one error that caused the addition of a NUL or
slash in fts_build() to overwrite other memory.
* After fts_palloc(), we need to reset `cp' so that it points to the
new path name buffer; otherwise the addition of the file name before
calling fts_stat() could lose.
