Re: [MSY] S(ecure)Locate heap corruption vulnerability

[Michal Zalewski <lcamtuf () DIONE IDS PL>]

On Sun, 26 Nov 2000, Michel Kaempf wrote:

> A few days ago, zorgon <zorgon () linuxstart com> discovered a problem in
> Secure Locate v2.1. When decoding an invalid database specified by a
> local user (thanks to the -d command line option), slocate dies with a
> segmentation violation:

I've discovered "slocate user-supplied database file parsing problems"
some time ago and posted nice bugreport to BUGTRAQ:

http://www.securityfocus.com/archive/1/66045

(...snip...)
- slocate - custom input file can be specified using LOCATE_PATH;
            due to almost no input validation, it's possible to
            supply many different input patterns, some of them will
            cause potentially exploitable SEGVs; please review this
            code. Ah, forgotten, gid slocate can be used to
            access slocate database in unrestricted mode (every
            file in filesystem indexed, including eg. /root,
            web scripts etc),
(...snip...)

I am impressed it hasn't been fixed yet. Amazing.

--
_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=