Bugtraq mailing list archives
Re: Security hole in exim 1.62: local root exploit
From: imp () ROVER VILLAGE ORG (Warner Losh)
Date: Tue, 22 Jul 1997 13:09:02 -0600
In message <Pine.SUN.3.94.970722085310.9339D-100000 () dfw dfw net> Aleph One writes: : Summary: The latest released version of exim lets any local user obtain : a root shell. Here's a message from the author with a patch for this problem. 1.651 is the latest test release, btw. Warner Date: Tue, 22 Jul 1997 09:55:00 +0100 (BST) From: Philip Hazel <ph10 () cus cam ac uk> Reply-To: Philip Hazel <ph10 () cus cam ac uk> To: exim-users () lists cam ac uk Subject: Re: Hoo boy... MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Answering my mail didn't take up all the time till my meeting this morning, leaving me time to develop a slightly different patch to the one posted by Jawaid Bazyar. Here are versions for 1.62 and 1.651: ---snip-------------------------------------------------------------------- *** exim-1.62/src/parse.c Wed Apr 16 14:34:49 1997 --- parse.c Tue Jul 22 09:41:50 1997 *************** *** 1037,1042 **** --- 1037,1048 ---- int extracted; FILE *f; + if (len-9 > 255) + { + *error = "included file name is too long"; + return -1; + } + strncpy(filename, s+9, len-9); filename[len-9] = 0; ---snip-------------------------------------------------------------------- *** exim-1.651/src/parse.c Fri Jul 4 16:33:56 1997 --- parse.c Tue Jul 22 09:31:54 1997 *************** *** 1056,1061 **** --- 1056,1067 ---- *error = string_sprintf("file name missing after :include:"); return -1; } + + if (flen > 255) + { + *error = string_sprintf("included file name \"%s\" is too long", t); + return -1; + } strncpy(filename, t, flen); filename[flen] = 0; ---snip-------------------------------------------------------------------- -- Philip Hazel University Computing Service, ph10 () cus cam ac uk New Museums Site, Cambridge CB2 3QG, P.Hazel () ucs cam ac uk England. Phone: +44 1223 334714
Current thread:
- better snprintf replacement, anyone? Theo de Raadt (Jul 19)
- Re: better snprintf replacement, anyone? Steve \ (Jul 21)
- Re: better snprintf replacement, anyone? Manoj Kasichainula (Jul 21)
- Re: better snprintf replacement, anyone? Theo de Raadt (Jul 21)
- Re: better snprintf replacement, anyone? Alan Cox (Jul 22)
- Re: better snprintf replacement, anyone? James Bonfield (Jul 22)
- ld.so vulnerability Aleph One (Jul 22)
- Security hole in exim 1.62: local root exploit Aleph One (Jul 22)
- Re: Security hole in exim 1.62: local root exploit Warner Losh (Jul 22)
- Named Config Files Gus Huber (Jul 22)
- Re: Named Config Files Aveek Datta (Jul 22)
- Re: better snprintf replacement, anyone? Steve \ (Jul 21)
- <Possible follow-ups>
- Re: better snprintf replacement, anyone? Bill Rugolsky Jr. (Jul 22)
- Re: better snprintf replacement, anyone? Casper Dik (Jul 23)
- Re: better snprintf replacement, anyone? der Mouse (Jul 22)
- Re: better snprintf replacement, anyone? Sten Gunterberg (Jul 22)
- Re: better snprintf replacement, anyone? Peter Jeremy (Jul 22)
- Re: better snprintf replacement, anyone? Theo de Raadt (Jul 22)
- Re: better snprintf replacement, anyone? der Mouse (Jul 22)