Re: SECURITY: Red Hat Linux 5.1 linuxconf bug (fwd)

[chris () FERRET LMH OX AC UK (Chris Evans)]

Hi!!

Someone wrote:

> the binary RPMs have always been shipped with suid linuxconf. Does this
> announce mean that linuxconf has been found insecure, so that is MUST not
> be used suid ? I haven't seen anything about linuxconf on BUGTRAQ, apart
> from your posting.

I alerted RedHat to the insecurity in a suid root linuxconf. I didn't cc:
to bugtraq (only the xosview got cc:'ed here which still isn't fixed).


Now RedHat have a fixed rpm out, I suppose I had better spill the beans.

Set environment variable "LANG" to a long string (about 1k should do it).
Run linuxconf. Watch crash. Smile.

Note that discovery of this problem was trivial.

Most importantly, please note that there are probably plenty of other
security holes in linuxconf apart from this one.

Cheers
Chris