Bugtraq mailing list archives
Security hole in rusers client
From: dholland () EECS HARVARD EDU (David Holland)
Date: Sat, 2 Aug 1997 15:19:30 -0400
(Cc'd to bugtraq since this probably affects everyone, not just Linux...) -----BEGIN PGP SIGNED MESSAGE----- Thanks to David Sacerdote of OpenBSD for pointing me in the general direction of this one. Patch against netkit-rusers-0.10 follows. netkit-rusers-0.11 will appear shortly. If you don't have pgp and don't know how to un-pgp a patch mail me and I'll send you an unsigned one. *** rusers.c 1997/04/05 22:26:22 1.9 - --- rusers.c 1997/08/02 15:53:44 *************** *** 155,174 **** days, hours, minutes, seconds); } strncpy(remote, up->uia_arr[x]->ui_utmp.ut_host, ! sizeof(remote)-1); if (strlen(remote) != 0) sprintf(remote, "(%.16s)", up->uia_arr[x]->ui_utmp.ut_host); if (longopt) { ! strncpy(local, host, sizeof(local)); ! local[sizeof(local)-1] = 0; ! local[HOST_WIDTH + LINE_WIDTH + 1 - ! strlen(up->uia_arr[x]->ui_utmp.ut_line) - 1] = 0; ! strcat(local, ":"); ! strcat(local, up->uia_arr[x]->ui_utmp.ut_line); printf("%-8.8s %-*.*s %-12.12s %8s %.18s\n", up->uia_arr[x]->ui_utmp.ut_name, HOST_WIDTH+LINE_WIDTH+1, HOST_WIDTH+LINE_WIDTH+1, local, - --- 155,186 ---- days, hours, minutes, seconds); } strncpy(remote, up->uia_arr[x]->ui_utmp.ut_host, ! sizeof(remote)-1); ! remote[sizeof(remote)-1] = 0; ! if (strlen(remote) != 0) sprintf(remote, "(%.16s)", up->uia_arr[x]->ui_utmp.ut_host); if (longopt) { ! /* Fit into HOST_WIDTH+LINE_WIDTH+1 chars */ ! int len1 = strlen(host); ! int len2 = strlen(up->uia_arr[x]->ui_utmp.ut_line); ! if (len1 + len2 > HOST_WIDTH+LINE_WIDTH+1) { ! int excess = len1 + len2 - HOST_WIDTH-LINE_WIDTH-1; ! if (excess < len1) len1 -= excess; ! else if (excess < len2) len2 -= excess; ! else { ! /* Hmm. Probably an attack... */ ! len1 = HOST_WIDTH; ! len2 = LINE_WIDTH; ! } ! } ! snprintf(local, sizeof(local), ! "%-.*s:%-.*%s", len1, host, len2, ! up->uia_arr[x]->ui_utmp.ut_line); printf("%-8.8s %-*.*s %-12.12s %8s %.18s\n", up->uia_arr[x]->ui_utmp.ut_name, HOST_WIDTH+LINE_WIDTH+1, HOST_WIDTH+LINE_WIDTH+1, local, -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM+Nd8zx1dyEHyT51AQGsYgQAqD+UPi73zrvCYP1Ryve6b78HW+v9aAdX NMV5eSL0PrzZpkXuB729d9LGDB5DQVx4wud5dsV4t8VYaHXhyi2r/h0xWPAQtapf yuQKmSuYqYqiU7L02sQfpZn6hCSvbg89H+fIv9yfzp3fVhBysl3ba7UpKzmvLq6v 2ojnl95pwKY= =lnFR -----END PGP SIGNATURE----- -- - David A. Holland | VINO project home page: dholland () eecs harvard edu | http://www.eecs.harvard.edu/vino
Current thread:
- Small problem in AIX write command: Executes shell, (continued)
- Small problem in AIX write command: Executes shell DI. Dr. Klaus Kusche (Aug 01)
- Re: Small problem in AIX write command: Executes shell David Holland (Aug 01)
- comp.sys.sgi.bugs: YET another security alert (sigh) Arthur Hagen (Aug 04)
- comp.sys.sgi.bugs: Re: YET another security alert (sigh) Forwarded by Kari Hurtta (Aug 05)
- CPSR #8: identd Denial of Service Corinne Posse Releases (Aug 04)
- Re: CPSR #8: identd Denial of Service Curt Sampson (Aug 04)
- Re: Small problem in AIX write command: Executes shell David Holland (Aug 01)
- Small problem in AIX write command: Executes shell DI. Dr. Klaus Kusche (Aug 01)
- INND causes cancer in laboratory rats (fwd) Dan Fleisher (Aug 01)
- Re: INND causes cancer in laboratory rats (fwd) thoth () PURPLEFROG COM (Aug 01)
- Bugs in Debian Linux's ircd package Matt (Aug 01)
- SSH LocalForward Kristof Van Damme (Aug 02)
- Security hole in rusers client David Holland (Aug 02)
- SSH LocalForward Nicolas Dubee (Aug 02)
- Re: your mail Erik Troan (Aug 10)
- Sun Security Bulletin #00149 Aleph One (Aug 13)
- Sun Security Bulletin #00150 Aleph One (Aug 13)
- Possible fixed identd Phillip R. Jaenke (Aug 13)
- CERT Advisory CA-97.22 - BIND - the Berkeley Internet Name Daemon Aleph One (Aug 14)
- Vulnerability in 4.4BSD rfork() implementation Thomas H. Ptacek (Aug 02)
- Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork() Jeff Epler (Aug 02)
- Re: Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork() Marc Slemko (Aug 03)