[15097] in bugtraq
Re: KDE: /usr/bin/kdesud, gid = 0 exploit
daemon@ATHENA.MIT.EDU (Chmouel Boudjnah)
Mon May 29 16:33:07 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <m2hfbi2w3w.fsf@vador.mandrakesoft.com>
Date: Sun, 28 May 2000 23:38:59 +0200
Reply-To: Chmouel Boudjnah <chmouel@MANDRAKESOFT.COM>
From: Chmouel Boudjnah <chmouel@MANDRAKESOFT.COM>
X-To: noir <noir@GSU.LINUX.ORG.TR>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: noir's message of "Fri, 26 May 2000 19:21:10 +0300"
noir <noir@GSU.LINUX.ORG.TR> writes:
> /usr/bin/kdesud has DISPLAY enviroment variable overflow.
> tested on Mandrake 7.02 (Air), exploit will get you gid=0
Here is the patch :
--- kdesu/kdesud/kdesud.cpp.chmou Sun May 28 23:31:28 2000
+++ kdesu/kdesud/kdesud.cpp Sun May 28 23:31:41 2000
@@ -161,7 +161,8 @@
struct sockaddr_un addr;
addr.sun_family = AF_UNIX;
- strcpy(addr.sun_path, sock.c_str());
+ strncpy(addr.sun_path, sock.c_str(), sizeof(addr.sun_path) - 1);
+ addr.sun_path[sizeof(addr.sun_path) - 1] = 0;
addrlen = SUN_LEN(&addr);
if (bind(sockfd, (struct sockaddr *)&addr, addrlen) < 0) {
xerror("bind(): %s");
--
MandrakeSoft Inc http://www.mandrakesoft.com
In travel. --Chmouel
