[3534] in bugtraq
Re: [linux-security] ncpmount/ncpumount
daemon@ATHENA.MIT.EDU (Alan Cox)
Tue Oct 22 04:23:06 1996
Date: Mon, 21 Oct 1996 17:58:41 +0100
Reply-To: Alan Cox <coxa@cableol.net>
From: Alan Cox <coxa@cableol.net>
X-To: roessler@sobolev.rhein.de
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <54ffsa$u1e@sobolev.rhein.de> from "Thomas Roessler" at Oct 21,
96 09:30:50 am
> >I haven't had a chance to look at the source code yet, but it appears that
> >ncpmount and ncpumount suffer from exactly the same problem that mount and
> >umount did. In fact, the mount exploit that was so widely circulated works
> >with ncpumount with no modifications.
>
> The buffer overflow you are referring to is hidden in the realpath(3)
> function. So the mount programs are the wrong ones to blame. Rather
> update your C library.
If its the same as mount, and wu.ftpd it includes realpath (broken version)
with the program and uses that instead of the (fixed) libc one.
Alan
