Bugtraq mailing list archives
Re: Linux /usr/bin/gnuplot overflow
From: broeker () PHYSIK RWTH-AACHEN DE (Hans-Bernhard Broeker)
Date: Fri, 5 Mar 1999 14:22:45 +0100
On Fri, 5 Mar 1999, Lars Hecking wrote:
xnec () inferno tusculum edu writes:There is a local root comprimise in /usr/bin/gnuplot version Linux version 3.5 (pre 3.6) patchlevel beta 336. gnuplot is shipped to install suidroot on SuSE 5.2 and maybe others.
[...]
This particular piece of code has been changed before the release of gnuplot release 3.7 to use a "safe" version of strncpy(). We recommend that all vendors shipping obsolete beta versions of gnuplot upgrade.
I strongly second this recommendment. I'll mail S.u.S.E. about it, if no-one else does (but then, they're bound to have someone reading bugtraq, right?).
Since I can see absolutely no reason for gnuplot to be suidroot, the best fix is chmod -s /usr/bin/gnuplot.
to the bugtraqers: Note that suidroot installation of gnuplot is done *only* if SVGAlib is found at compile time, and actually used by gnuplot. So, instead of explicitly disallowing suidroot, the *safe* solution is to pass the '--without-linux-vga' option to 'configure' to disable use of SVGAlib, and that's that. This would also be my suggestion for Linux distributors: put gnuplot into the 'x-applications' class of packages, compile using '--without-linux-vga', and make a note in the package description that a SVGAlib version can be built, as well (or offer that as a separate package, like it was routinely done with ghostscript, the major precedent case). OTOH, no-one with any kind of security concern on their mind would install SVGAlib, in its current state, would they? Hans-Bernhard Broeker (broeker () physik rwth-aachen de) Even if all the snow were burnt, ashes would remain.
Current thread:
- Remote OS Deception? Robert Wick (Mar 03)
- Security Conference Announcement: the Black Hat Briefings '99 Dominique Brezinski (Mar 03)
- Oracle Plaintext Password James Kivisild (Mar 04)
- Linux /usr/bin/gnuplot overflow xnec () INFERNO TUSCULUM EDU (Mar 04)
- Re: Linux /usr/bin/gnuplot overflow Lars Hecking (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow Hans-Bernhard Broeker (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow Andrea Arcangeli (Mar 05)
- buffer overflow in /usr/bin/cancel Josh A. Strickland (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow -- SuSE hasnt fixed lsof Mario Lorenz (Mar 05)
- Update to Microsoft Security Bulletin (MS99-006) aleph1 () UNDERGROUND ORG (Mar 05)
- More Internet Explorer zone confusion Jim Paris (Mar 05)
- Re: More Internet Explorer zone confusion Walt Armour (Mar 08)
- Re: More Internet Explorer zone confusion Jeremy Nimmer (Mar 08)
- Re: More Internet Explorer zone confusion Jim Paris (Mar 08)
- ISAPI Extension vulnerability allows to execute code as SYSTEM Aleph One (Mar 08)
- Re: More Internet Explorer zone confusion David E. Smith (Mar 08)
- Re: Linux /usr/bin/gnuplot overflow Lars Hecking (Mar 05)