[19229] in bugtraq
Re: vixie cron possible local root compromise
daemon@ATHENA.MIT.EDU (Wolfgang Wieser)
Thu Feb 15 15:54:17 2001
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <01021420192803.00362@enigma>
Date: Wed, 14 Feb 2001 20:19:28 +0100
Reply-To: wwieser@GMX.DE
From: Wolfgang Wieser <wwieser@GMX.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Note that the proposed patch...
< strcpy(User, pw->pw_name);
---
> strncpy(User, pw->pw_name, MAX_UNAME - 1);
does not completely patch the hole. Okay, shellcode
will get cut off, but strncpy() does not '\0'-terninate the
strings but I saw that the rest of the code (notably the
next line strcpy(RealUser, User); ) assumes a
standard '\0'-terninated string.
So, the patch would be
< strcpy(User, pw->pw_name);
---
> strncpy(User, pw->pw_name, MAX_UNAME - 1);
> User[MAX_UNAME-1]='\0';
wwieser
