Re: fdmount buffer overflow

[yoann () MANDRAKESOFT COM (Vandoorselaere Yoann)]

Chmouel Boudjnah <chmouel () mandrakesoft com> writes:

> Greg Olszewski <noop () NWONKNU ORG> writes:
>
> > Debian 2.1, 2.2, 2.3:  fdmount is NOT installed suid.
> > Mandrake 7.0: Vulnerable
>
> All our security system is handle via msec, in this case we add a user
> in the floppy group only if we are in level >= 3.
>
> So we are not affected if by default you did an Server install or set
> your security level to 4 5.
>
> Indeed we are affected if (and only if) the user is in the floppy
> group. A fix (remove suid root) come soon.

Here is a patch to correct the fdmount problem...

--- fdmount.c.orig      Tue May 23 18:48:40 2000
+++ fdmount.c   Tue May 23 18:49:04 2000
@@ -127,9 +127,10 @@

 void errmsg(char *text,...) {
     char buff[80];
+
     va_list p;
     va_start(p,text);
-    vsprintf(buff,text,p);
+    vsnprintf(buff, 80, text,p);
     va_end(p);
     if(use_syslog)
        syslog(LOG_ERR, "%s: %s\n",curdev,buff);


--
                   -- Yoann,  http://www.mandrakesoft.com/~yoann/
     It is well known that M$ products don't call free() after a malloc().
     The Unix community wish them good luck for their future developments.