Re: Linux /usr/bin/gnuplot overflow

[broeker () PHYSIK RWTH-AACHEN DE (Hans-Bernhard Broeker)]

On Fri, 5 Mar 1999, Lars Hecking wrote:

> xnec () inferno tusculum edu writes:
> > There is a local root comprimise in /usr/bin/gnuplot version Linux version 3.5
> > (pre 3.6) patchlevel beta 336.  gnuplot is shipped to install suidroot on
> > SuSE 5.2 and maybe others.
[...]

>  This particular piece of code has been changed before the release of
>  gnuplot release 3.7 to use a "safe" version of strncpy(). We recommend
>  that all vendors shipping obsolete beta versions of gnuplot upgrade.

I strongly second this recommendment. I'll mail S.u.S.E. about it, if
no-one else does (but then, they're bound to have someone reading bugtraq,
right?).

> > Since I can see absolutely no reason for gnuplot to be suidroot, the best
> > fix is chmod -s /usr/bin/gnuplot.

to the bugtraqers: Note that suidroot installation of gnuplot is done
*only* if SVGAlib is found at compile time, and actually used by gnuplot.
So, instead of explicitly disallowing suidroot, the *safe* solution is
to pass the '--without-linux-vga' option to 'configure' to disable
use of SVGAlib, and that's that.

This would also be my suggestion for Linux distributors: put gnuplot into
the 'x-applications' class of packages, compile using
'--without-linux-vga', and make a note in the package description that a
SVGAlib version can be built, as well (or offer that as a separate
package, like it was routinely done with ghostscript, the major precedent
case).

OTOH, no-one with any kind of security concern on their mind would install
SVGAlib, in its current state, would they?

Hans-Bernhard Broeker (broeker () physik rwth-aachen de)
Even if all the snow were burnt, ashes would remain.