[15369] in bugtraq
Re: Splitvt exploit
daemon@ATHENA.MIT.EDU (Andrey Savochkin)
Fri Jun 16 14:00:50 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000616173820.A18725@saw.sw.com.sg>
Date: Fri, 16 Jun 2000 17:38:20 +0800
Reply-To: Andrey Savochkin <saw@SAW.SW.COM.SG>
From: Andrey Savochkin <saw@SAW.SW.COM.SG>
X-To: Joey Hess <joey@KITENET.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000614192837.A20973@kitenet.net>; from "Joey Hess" on Wed,
Jun 14, 2000 at 07:28:37PM
Hello,
On Wed, Jun 14, 2000 at 07:28:37PM -0700, Joey Hess wrote:
> Note that in addition to the above fix, version 1.6.4-3 of splitvt in
> Debian is no longer suid root, just sgid utmp. If any further security
> holes are found (the program could use a thurough audit), I hope this
> will greatly reduce the magnitude of the exploit. A patch for glibc
> systems follows, which I have already sent to the author of splitvt.
>
[snip]
> @@ -108,6 +108,9 @@
>
> /* Set our uid to our real uid if necessary */
> (void) setuid(getuid());
> + /* Same for gid (program may be setgid utmp on some
> + * systems). */
> + (void) setgid(getgid());
>
> /* Run the requested program, with possible leading dash. */
> execvp(((*argv[0] == '-') ? argv[0]+1 : argv[0]), argv);
I don't know what splitvt is, but shouldn't setgid go _before_ setuid call
for dropping privileges?
Best regards
Andrey V.
Savochkin
