Re: Babcia Padlina Ltd. security advisory: mars_nwe buffer

[huuskone () CC HELSINKI FI (Taneli Huuskonen)]

-----BEGIN PGP SIGNED MESSAGE-----

Przemyslaw Frasunek writes:

@@ -103,11 +103,11 @@
   uint8 command[500];
   struct stat statb;
   if (!stat(newname, &statb)) return(EEXIST);
   if (stat(oldname,  &statb)) return(-1);
   else if (!S_ISDIR(statb.st_mode)) return(-1);
- -  sprintf(command, "mv %s %s 2>&1 >/dev/null" , oldname, newname);
+  snprintf(command, sizeof(command)-1, "mv %s %s 2>&1 >/dev/null" , oldname, newname);
   return(system(command));
 }

Without seeing the context, I can't say for sure, but this looks like a
hole big enough to drive a truck through  -  calling system( ) with
user-supplied arguments.  If this code is running with superuser
privileges and shell metacharacters haven't been removed very carefully,
there's going to be a trivial exploit.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQB1AwUBN83eygUw3ir1nvhZAQGNzQL/cP/NqiAyq9Pmf5QhPCvSGdbE9LFukkZ+
bJDqmaiQ9l7P/GZcUT1wkEsvE+pS2HI+g6sKyqFzcMgpmov7ojX9oHtpfFdqgJdX
djlXi5LI1PKS4/0jVcUBNQt6mInRyHHO
=Jf2q
-----END PGP SIGNATURE-----

--
I don't   | All messages will be PGP signed,  | Fight for your right to
speak for | encrypted mail preferred.  Keys:  | use sealed envelopes.
the Uni.  | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/