Return-Path: owner-bugtraq@SECURITYFOCUS.COM References: <392EA476.5825D813@gsu.linux.org.tr> Lines: 24 User-Agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.5 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: Date: Sun, 28 May 2000 23:38:59 +0200 Reply-To: Chmouel Boudjnah Sender: Bugtraq List From: Chmouel Boudjnah Subject: Re: KDE: /usr/bin/kdesud, gid = 0 exploit X-To: noir X-cc: BUGTRAQ@SECURITYFOCUS.COM, Pascal Rigaux , future@linux-mandrake.com To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: noir's message of "Fri, 26 May 2000 19:21:10 +0300" noir writes: > /usr/bin/kdesud has DISPLAY enviroment variable overflow. > tested on Mandrake 7.02 (Air), exploit will get you gid=0 Here is the patch : --- kdesu/kdesud/kdesud.cpp.chmou Sun May 28 23:31:28 2000 +++ kdesu/kdesud/kdesud.cpp Sun May 28 23:31:41 2000 @@ -161,7 +161,8 @@ struct sockaddr_un addr; addr.sun_family = AF_UNIX; - strcpy(addr.sun_path, sock.c_str()); + strncpy(addr.sun_path, sock.c_str(), sizeof(addr.sun_path) - 1); + addr.sun_path[sizeof(addr.sun_path) - 1] = 0; addrlen = SUN_LEN(&addr); if (bind(sockfd, (struct sockaddr *)&addr, addrlen) < 0) { xerror("bind(): %s"); -- MandrakeSoft Inc http://www.mandrakesoft.com In travel. --Chmouel