Return-Path: owner-bugtraq@SECURITYFOCUS.COM
References: <392EA476.5825D813@gsu.linux.org.tr>
Lines: 24
User-Agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.5
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID:  <m2hfbi2w3w.fsf@vador.mandrakesoft.com>
Date:         Sun, 28 May 2000 23:38:59 +0200
Reply-To: Chmouel Boudjnah <chmouel@MANDRAKESOFT.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Chmouel Boudjnah <chmouel@MANDRAKESOFT.COM>
Subject:      Re: KDE: /usr/bin/kdesud, gid = 0  exploit
X-To:         noir <noir@GSU.LINUX.ORG.TR>
X-cc:         BUGTRAQ@SECURITYFOCUS.COM, Pascal Rigaux 
              <pixel@linux-mandrake.com>, future@linux-mandrake.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  noir's message of "Fri, 26 May 2000 19:21:10 +0300"

noir <noir@GSU.LINUX.ORG.TR> writes:

> /usr/bin/kdesud has DISPLAY enviroment variable overflow.
> tested on Mandrake 7.02 (Air), exploit will get you gid=0

Here is the patch :

--- kdesu/kdesud/kdesud.cpp.chmou       Sun May 28 23:31:28 2000
+++ kdesu/kdesud/kdesud.cpp     Sun May 28 23:31:41 2000
@@ -161,7 +161,8 @@

     struct sockaddr_un addr;
     addr.sun_family = AF_UNIX;
-    strcpy(addr.sun_path, sock.c_str());
+    strncpy(addr.sun_path, sock.c_str(), sizeof(addr.sun_path) - 1);
+    addr.sun_path[sizeof(addr.sun_path) - 1] = 0;
     addrlen = SUN_LEN(&addr);
     if (bind(sockfd, (struct sockaddr *)&addr, addrlen) < 0) {
        xerror("bind(): %s");


--
MandrakeSoft Inc                http://www.mandrakesoft.com
In travel.                                        --Chmouel