[17820] in bugtraq
Re: [MSY] S(ecure)Locate heap corruption vulnerability
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Tue Nov 28 16:31:41 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.30.0011272347010.23147-100000@dione.ids.pl>
Date: Mon, 27 Nov 2000 23:57:15 +0100
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: Michel Kaempf <maxx@MASTERSECURITY.FR>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001126233825.A23930@via.ecp.fr>
On Sun, 26 Nov 2000, Michel Kaempf wrote:
> A few days ago, zorgon <zorgon@linuxstart.com> discovered a problem in
> Secure Locate v2.1. When decoding an invalid database specified by a
> local user (thanks to the -d command line option), slocate dies with a
> segmentation violation:
I've discovered "slocate user-supplied database file parsing problems"
some time ago and posted nice bugreport to BUGTRAQ:
http://www.securityfocus.com/archive/1/66045
(...snip...)
- slocate - custom input file can be specified using LOCATE_PATH;
due to almost no input validation, it's possible to
supply many different input patterns, some of them will
cause potentially exploitable SEGVs; please review this
code. Ah, forgotten, gid slocate can be used to
access slocate database in unrestricted mode (every
file in filesystem indexed, including eg. /root,
web scripts etc),
(...snip...)
I am impressed it hasn't been fixed yet. Amazing.
--
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=
