[6674] in bugtraq
dip-3.3.7o security hole
daemon@ATHENA.MIT.EDU (Goran Gajic)
Tue May 5 16:45:46 1998
Date: Tue, 5 May 1998 13:28:21 +0200
Reply-To: Goran Gajic <ggajic@AFRODITA.RCUB.BG.AC.YU>
From: Goran Gajic <ggajic@AFRODITA.RCUB.BG.AC.YU>
To: BUGTRAQ@NETSPACE.ORG
Hi,
There is potencial security hole in dip-3.3.7o which is installed
suid root in Slackware 3.4 distribution (if selected). Just try this:
~> dip -k -l `perl -e 'print "a" x 2000'`
and you will get something like:
DIP: cannot open /var/lock/LCK..aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaa:No such file or directory
Segmentation fault
If you look dip source, main.c, or do strace, you will find that problem
is with sprintf, line 192:
sprintf(buf, "%s/LCK..%s", _PATH_LOCKD, nam);
Here is obvious patch:
--- main.c Tue Feb 13 03:03:35 1996
+++ main.c Mon May 4 23:36:49 1998
@@ -189,7 +189,7 @@
return;
}
- sprintf(buf, "%s/LCK..%s", _PATH_LOCKD, nam);
+ snprintf(buf, sizeof(buf), "%s/LCK..%s", _PATH_LOCKD, nam);
fp = fopen(buf, "r");
if (fp == (FILE *)0) {
Or chmod -s dip.
Goran Gajic
