[3930] in bugtraq
[linux-security] write(1) leak
daemon@ATHENA.MIT.EDU (David Holland)
Mon Jan 20 14:54:57 1997
Date: Mon, 20 Jan 1997 13:53:26 -0500
Reply-To: David Holland <dholland@eecs.harvard.edu>
From: David Holland <dholland@eecs.harvard.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
> Some versions (the util-linux version, but not the netwrite or netkit
> versions) of /usr/bin/write have a buffer overrun problem that is
> almost certainly exploitable. Note that this gives access to the tty
> group, but not (directly) root.
>
> The fix is to change the two sprintfs to snprintfs. Patches have been
> mailed to the maintainer.
I should note for the bugtraq audience (that message was intended for
linux-security only) that netbsd is affected, freebsd and openbsd are
not. At least the -current versions. YMMV.
Also it was brought to my attention that you can't actually perform
the buffer overrun because the overflow string gets checked against
utmp before it has a chance to overflow.
Sorry about the false alarm.
--
- David A. Holland | VINO project home page:
dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino
