[4157] in bugtraq
Re: xterm segfaults from environment variables - too obvious
daemon@ATHENA.MIT.EDU (Alex Belits)
Tue Mar 11 17:59:59 1997
Date: Tue, 11 Mar 1997 14:03:51 -0800
Reply-To: Alex Belits <abelits@PHOBOS.ILLTEL.DENVER.CO.US>
From: Alex Belits <abelits@PHOBOS.ILLTEL.DENVER.CO.US>
X-To: David Luyer <luyer@ucs.uwa.edu.au>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.95q.970312004144.23097F-100000@typhaon.ucs.uwa.edu.au>
On Wed, 12 Mar 1997, David Luyer wrote:
> This system is not vulnerable to the overflow previously mentioned on
> bugtraq for X11R6.1. It's stock debian 1.2.8 (progressively upgraded
> since 1.1.something, but that should be irrelevant).
>
> The main point of my previous email was to show how easy it is to find
> this kind of bug - I took a system which had all the latest security fixes
> as at yesterday, added 5 minutes of my time and had a buffer overflow.
> With very little work the scripts could be made to probe all suid binaries
> on a standard install (they need to be run as root of course to set
> preload for suid executables) for buffer overflows after getenv() calls.
After some looking at the code I think, I've found the real cause of
coredumps. getenv in getenv2.so returns always the same static buffer
while real getenv returns pointers to actual environment. xterm crashes
with getenv2.so compiled from given source but doesn't crash if static
keyword is removed thus causing "environment values" to be malloc'ed every
time.
--
Alex
