[9819] in bugtraq
Re: Linux /usr/bin/gnuplot overflow
daemon@ATHENA.MIT.EDU (Hans-Bernhard Broeker)
Fri Mar 5 12:21:55 1999
Date: Fri, 5 Mar 1999 14:22:45 +0100
Reply-To: Hans-Bernhard Broeker <broeker@PHYSIK.RWTH-AACHEN.DE>
From: Hans-Bernhard Broeker <broeker@PHYSIK.RWTH-AACHEN.DE>
X-To: Lars Hecking <lhecking@nmrc.ucc.ie>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990305122728.C26382@tehran.nmrc.ucc.ie>
On Fri, 5 Mar 1999, Lars Hecking wrote:
> xnec@inferno.tusculum.edu writes:
> > There is a local root comprimise in /usr/bin/gnuplot version Linux version 3.5
> > (pre 3.6) patchlevel beta 336. gnuplot is shipped to install suidroot on
> > SuSE 5.2 and maybe others.
[...]
> This particular piece of code has been changed before the release of
> gnuplot release 3.7 to use a "safe" version of strncpy(). We recommend
> that all vendors shipping obsolete beta versions of gnuplot upgrade.
I strongly second this recommendment. I'll mail S.u.S.E. about it, if
no-one else does (but then, they're bound to have someone reading bugtraq,
right?).
> > Since I can see absolutely no reason for gnuplot to be suidroot, the best
> > fix is chmod -s /usr/bin/gnuplot.
to the bugtraqers: Note that suidroot installation of gnuplot is done
*only* if SVGAlib is found at compile time, and actually used by gnuplot.
So, instead of explicitly disallowing suidroot, the *safe* solution is
to pass the '--without-linux-vga' option to 'configure' to disable
use of SVGAlib, and that's that.
This would also be my suggestion for Linux distributors: put gnuplot into
the 'x-applications' class of packages, compile using
'--without-linux-vga', and make a note in the package description that a
SVGAlib version can be built, as well (or offer that as a separate
package, like it was routinely done with ghostscript, the major precedent
case).
OTOH, no-one with any kind of security concern on their mind would install
SVGAlib, in its current state, would they?
Hans-Bernhard Broeker (broeker@physik.rwth-aachen.de)
Even if all the snow were burnt, ashes would remain.
