Bugtraq mailing list archives
Re: [MSY] S(ecure)Locate heap corruption vulnerability
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Mon, 27 Nov 2000 23:57:15 +0100
On Sun, 26 Nov 2000, Michel Kaempf wrote:
A few days ago, zorgon <zorgon () linuxstart com> discovered a problem in Secure Locate v2.1. When decoding an invalid database specified by a local user (thanks to the -d command line option), slocate dies with a segmentation violation:
I've discovered "slocate user-supplied database file parsing problems" some time ago and posted nice bugreport to BUGTRAQ: http://www.securityfocus.com/archive/1/66045 (...snip...) - slocate - custom input file can be specified using LOCATE_PATH; due to almost no input validation, it's possible to supply many different input patterns, some of them will cause potentially exploitable SEGVs; please review this code. Ah, forgotten, gid slocate can be used to access slocate database in unrestricted mode (every file in filesystem indexed, including eg. /root, web scripts etc), (...snip...) I am impressed it hasn't been fixed yet. Amazing. -- _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =--=> Did you know that clones never use mirrors? <=--=
Current thread:
- [MSY] S(ecure)Locate heap corruption vulnerability Michel Kaempf (Nov 28)
- Re: [MSY] S(ecure)Locate heap corruption vulnerability Michal Zalewski (Nov 29)
- Re: [MSY] S(ecure)Locate heap corruption vulnerability Seth Arnold (Nov 30)
- Re: [MSY] S(ecure)Locate heap corruption vulnerability Olaf Kirch (Nov 29)
- Re: [MSY] S(ecure)Locate heap corruption vulnerability Michal Zalewski (Nov 29)