[15009] in bugtraq
Re: fdmount buffer overflow
daemon@ATHENA.MIT.EDU (Vandoorselaere Yoann)
Wed May 24 13:03:58 2000
Message-Id: <m3em6tqkhf.fsf@test1.mandrakesoft.com>
Date: Tue, 23 May 2000 18:50:20 +0200
Reply-To: Vandoorselaere Yoann <yoann@MANDRAKESOFT.COM>
From: Vandoorselaere Yoann <yoann@MANDRAKESOFT.COM>
X-To: Chmouel Boudjnah <chmouel@mandrakesoft.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Chmouel Boudjnah's message of "23 May 2000 19:40:55 +0200"
Chmouel Boudjnah <chmouel@mandrakesoft.com> writes:
> Greg Olszewski <noop@NWONKNU.ORG> writes:
>
> > Debian 2.1, 2.2, 2.3: fdmount is NOT installed suid.
> > Mandrake 7.0: Vulnerable
>
> All our security system is handle via msec, in this case we add a user
> in the floppy group only if we are in level >= 3.
>
> So we are not affected if by default you did an Server install or set
> your security level to 4 5.
>
> Indeed we are affected if (and only if) the user is in the floppy
> group. A fix (remove suid root) come soon.
Here is a patch to correct the fdmount problem...
--- fdmount.c.orig Tue May 23 18:48:40 2000
+++ fdmount.c Tue May 23 18:49:04 2000
@@ -127,9 +127,10 @@
void errmsg(char *text,...) {
char buff[80];
+
va_list p;
va_start(p,text);
- vsprintf(buff,text,p);
+ vsnprintf(buff, 80, text,p);
va_end(p);
if(use_syslog)
syslog(LOG_ERR, "%s: %s\n",curdev,buff);
--
-- Yoann, http://www.mandrakesoft.com/~yoann/
It is well known that M$ products don't call free() after a malloc().
The Unix community wish them good luck for their future developments.
