Bugtraq mailing list archives
Security hole in rusers client
From: dholland () EECS HARVARD EDU (David Holland)
Date: Sat, 2 Aug 1997 15:19:30 -0400
(Cc'd to bugtraq since this probably affects everyone, not just Linux...)
-----BEGIN PGP SIGNED MESSAGE-----
Thanks to David Sacerdote of OpenBSD for pointing me in the general
direction of this one.
Patch against netkit-rusers-0.10 follows. netkit-rusers-0.11 will
appear shortly.
If you don't have pgp and don't know how to un-pgp a patch mail me and
I'll send you an unsigned one.
*** rusers.c 1997/04/05 22:26:22 1.9
- --- rusers.c 1997/08/02 15:53:44
***************
*** 155,174 ****
days, hours, minutes, seconds);
}
strncpy(remote, up->uia_arr[x]->ui_utmp.ut_host,
! sizeof(remote)-1);
if (strlen(remote) != 0)
sprintf(remote, "(%.16s)",
up->uia_arr[x]->ui_utmp.ut_host);
if (longopt) {
! strncpy(local, host, sizeof(local));
! local[sizeof(local)-1] = 0;
! local[HOST_WIDTH + LINE_WIDTH + 1 -
! strlen(up->uia_arr[x]->ui_utmp.ut_line) - 1] = 0;
! strcat(local, ":");
! strcat(local, up->uia_arr[x]->ui_utmp.ut_line);
printf("%-8.8s %-*.*s %-12.12s %8s %.18s\n",
up->uia_arr[x]->ui_utmp.ut_name,
HOST_WIDTH+LINE_WIDTH+1, HOST_WIDTH+LINE_WIDTH+1, local,
- --- 155,186 ----
days, hours, minutes, seconds);
}
strncpy(remote, up->uia_arr[x]->ui_utmp.ut_host,
! sizeof(remote)-1);
! remote[sizeof(remote)-1] = 0;
!
if (strlen(remote) != 0)
sprintf(remote, "(%.16s)",
up->uia_arr[x]->ui_utmp.ut_host);
if (longopt) {
! /* Fit into HOST_WIDTH+LINE_WIDTH+1 chars */
! int len1 = strlen(host);
! int len2 = strlen(up->uia_arr[x]->ui_utmp.ut_line);
! if (len1 + len2 > HOST_WIDTH+LINE_WIDTH+1) {
! int excess = len1 + len2 - HOST_WIDTH-LINE_WIDTH-1;
! if (excess < len1) len1 -= excess;
! else if (excess < len2) len2 -= excess;
! else {
! /* Hmm. Probably an attack... */
! len1 = HOST_WIDTH;
! len2 = LINE_WIDTH;
! }
! }
! snprintf(local, sizeof(local),
! "%-.*s:%-.*%s", len1, host, len2,
! up->uia_arr[x]->ui_utmp.ut_line);
printf("%-8.8s %-*.*s %-12.12s %8s %.18s\n",
up->uia_arr[x]->ui_utmp.ut_name,
HOST_WIDTH+LINE_WIDTH+1, HOST_WIDTH+LINE_WIDTH+1, local,
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBM+Nd8zx1dyEHyT51AQGsYgQAqD+UPi73zrvCYP1Ryve6b78HW+v9aAdX
NMV5eSL0PrzZpkXuB729d9LGDB5DQVx4wud5dsV4t8VYaHXhyi2r/h0xWPAQtapf
yuQKmSuYqYqiU7L02sQfpZn6hCSvbg89H+fIv9yfzp3fVhBysl3ba7UpKzmvLq6v
2ojnl95pwKY=
=lnFR
-----END PGP SIGNATURE-----
--
- David A. Holland | VINO project home page:
dholland () eecs harvard edu | http://www.eecs.harvard.edu/vino
Current thread:
- Small problem in AIX write command: Executes shell, (continued)
- Small problem in AIX write command: Executes shell DI. Dr. Klaus Kusche (Aug 01)
- Re: Small problem in AIX write command: Executes shell David Holland (Aug 01)
- comp.sys.sgi.bugs: YET another security alert (sigh) Arthur Hagen (Aug 04)
- comp.sys.sgi.bugs: Re: YET another security alert (sigh) Forwarded by Kari Hurtta (Aug 05)
- CPSR #8: identd Denial of Service Corinne Posse Releases (Aug 04)
- Re: CPSR #8: identd Denial of Service Curt Sampson (Aug 04)
- Re: Small problem in AIX write command: Executes shell David Holland (Aug 01)
- Small problem in AIX write command: Executes shell DI. Dr. Klaus Kusche (Aug 01)
- INND causes cancer in laboratory rats (fwd) Dan Fleisher (Aug 01)
- Re: INND causes cancer in laboratory rats (fwd) thoth () PURPLEFROG COM (Aug 01)
- Bugs in Debian Linux's ircd package Matt (Aug 01)
- SSH LocalForward Kristof Van Damme (Aug 02)
- Security hole in rusers client David Holland (Aug 02)
- SSH LocalForward Nicolas Dubee (Aug 02)
- Re: your mail Erik Troan (Aug 10)
- Sun Security Bulletin #00149 Aleph One (Aug 13)
- Sun Security Bulletin #00150 Aleph One (Aug 13)
- Possible fixed identd Phillip R. Jaenke (Aug 13)
- CERT Advisory CA-97.22 - BIND - the Berkeley Internet Name Daemon Aleph One (Aug 14)
- Vulnerability in 4.4BSD rfork() implementation Thomas H. Ptacek (Aug 02)
- Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork() Jeff Epler (Aug 02)
- Re: Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork() Marc Slemko (Aug 03)