Bugtraq mailing list archives
Re: SECURITY: Red Hat Linux 5.1 linuxconf bug
From: araman () CYBER-NETWORKS FR (Matthieu Araman)
Date: Wed, 3 Jun 1998 00:01:54 +0000
Hello,
I've just checked the getenv(LANG) problem with Linuxconf with Linuxconf
1.10r30, the latest version available on ftp.solucorp.qc.ca
I couldn't crash linuxconf-1.10r30 even with large LANG variable so I
downloaded the linuxconf
version shipped with RH5.1 (although I still use RH5.0FR (French
Version)) and this version crashes when the LANG variable is set to a
large value.
So I looked at the code in misc/linuxconf.cc where the getenv is done.
The linuxconf version shipped with RedHat introduces memorization of the
langage in the /etc/conf.linuxconf file. This functionality was needed
because the LANG variable is not always available to Linuxconf (at boot
time and with the HTML interface) and it defeated the automatic
langade selection (which was introduced recently in Linuxconf)
Unfortunately, what's stocked in conf.linuxconf is the LANG variable
before it is checked.
As I didn't see any patch and Jack is still not back, I changed the code
a little bit to only stock the first two caracters of the LANG variable,
which is enough to choose the language.
This should hopefully fix the problem.
So I think every linuxconf version <=1.10r30 are not vulnerable to this
problem.
Although a good security auditing of Linuxconf would be a very good
thing.
patch (to be applied to Linuxconf 1.10r11 shipped with RedHat) follows :
(I hope I didn't make it wrong )
Note: If you played with Linuxconf 1.11r11, you'll have to delete
manually the linuxconf.lastlang
line at the end of /etc/conf.linuxconf
--- linuxconf.cc.orig Tue Jun 2 22:32:16 1998
+++ linuxconf.cc Tue Jun 2 23:17:44 1998
@@ -391,18 +391,9 @@
const char *ret = linuxconf_getlangmanual();
if (linuxconf_getlangmode()){
const char *envlang = getenv("LANG");
+ /* LANG env variable should not be trusted at all
+ please check, recheck and improve this code */
const char *lastlang = linuxconf_getval
(K_LINUXCONF,K_LASTLANG);
- if (envlang == NULL){
- envlang = lastlang;
- }else{
- if (lastlang == NULL ||
strcmp(envlang,lastlang)!=0){
- linuxconf_setcursys (subsys_noarch);
- linuxconf_replace
(K_LINUXCONF,K_LASTLANG,envlang);
- xconf_fopencfg_bypass (true);
- linuxconf_save();
- xconf_fopencfg_bypass (false);
- }
- }
if (envlang != NULL && strlen(envlang)>=2){
static char ret2[3];
ret2[0] = envlang[0];
@@ -416,6 +407,29 @@
For this we should test if the
subvariant exist and if not
try just the first two letters
*/
+ /* we try to see if the lang was memorized or if
the lang memorized in conf.linuxconf is the same that we get now
+we memorize the lang cause the LANG variable is not always available to
Linuxconf (at boot time and with html interface). If you've got a better
way to do this... */
+ if (lastlang == NULL || strlen(lastlang) ||
strlen(lastlang)>5 || strncmp(envlang,lastlang,2)!=0){
+ /* lastlang did not exist or lang was
modified*/
+ static char lastlang2[3];
+ lastlang2[0] = envlang[0];
+ lastlang2[1] = envlang[1];
+ lastlang2[2] = '\0';
+ linuxconf_setcursys (subsys_noarch);
+ linuxconf_replace
(K_LINUXCONF,K_LASTLANG,lastlang2);
+ xconf_fopencfg_bypass (true);
+ linuxconf_save();
+ xconf_fopencfg_bypass (false);
+ }
+ }
+ else if (lastlang!=NULL && strlen(lastlang)>=2){
+ /* we don't get the lang from the LANG variable
*/
+ /* hopefully we memorized the lang */
+ static char ret2[3];
+ ret2[0] = lastlang[0];
+ ret2[1] = lastlang[1];
+ ret2[2] = '\0';
+ ret = ret2;
}
}
if (strcmp(ret,"en")==0) ret = "eng";
Current thread:
- Re: SECURITY: Red Hat Linux 5.1 linuxconf bug Sergio Ballestrero (May 30)
- <Possible follow-ups>
- Re: SECURITY: Red Hat Linux 5.1 linuxconf bug Jim Dennis (Jun 01)
- Re: SECURITY: Red Hat Linux 5.1 linuxconf bug Sergio Ballestrero (Jun 01)
- Re: SECURITY: Red Hat Linux 5.1 linuxconf bug Matthieu Araman (Jun 02)