Bugtraq mailing list archives
[linux-security] write(1) leak
From: dholland () EECS HARVARD EDU (David Holland)
Date: Mon, 20 Jan 1997 13:53:26 -0500
Some versions (the util-linux version, but not the netwrite or netkit versions) of /usr/bin/write have a buffer overrun problem that is almost certainly exploitable. Note that this gives access to the tty group, but not (directly) root. The fix is to change the two sprintfs to snprintfs. Patches have been mailed to the maintainer.
I should note for the bugtraq audience (that message was intended for linux-security only) that netbsd is affected, freebsd and openbsd are not. At least the -current versions. YMMV. Also it was brought to my attention that you can't actually perform the buffer overrun because the overflow string gets checked against utmp before it has a chance to overflow. Sorry about the false alarm. -- - David A. Holland | VINO project home page: dholland () eecs harvard edu | http://www.eecs.harvard.edu/vino
Current thread:
- Re: Smashing the stack on a DEC Alpha, (continued)
- Re: Smashing the stack on a DEC Alpha Digital Dreamer (Jan 16)
- Re: Smashing the stack on a DEC Alpha Julian Assange (Jan 16)
- FreeBSD Security Advisory: SA-96:21 - talkd FreeBSD Security Officer (Jan 18)
- Re: FreeBSD Security Advisory: SA-96:21 - talkd Theo de Raadt (Jan 20)
- talkd problem Theo de Raadt (Jan 20)
- Re: talkd problem David Holland (Jan 20)
- Smashing the stack Zygo Blaxell (Jan 20)
- Re: Smashing the stack David Holland (Jan 20)
- Re: Smashing the stack Bill Sommerfeld (Jan 21)
- [linux-security] write(1) leak David Holland (Jan 19)
- [linux-security] write(1) leak David Holland (Jan 20)