Bugtraq archives for 3rd quarter (Jul-Sep) 1997: Re: Security hole in exim 1.62: local root exploit
Re: Security hole in exim 1.62: local root exploit
Warner Losh (
imp
ROVER.VILLAGE.ORG)
Tue, 22 Jul 1997 13:09:02 -0600
In message <Pine.SUN.3.94.970722085310.9339D-100000dfw.dfw.net> Aleph One writes:
: Summary: The latest released version of exim lets any local user obtain
: a root shell.
Here's a message from the author with a patch for this problem. 1.651
is the latest test release, btw.
Warner
Date: Tue, 22 Jul 1997 09:55:00 +0100 (BST)
From: Philip Hazel <ph10cus.cam.ac.uk>
Reply-To: Philip Hazel <ph10cus.cam.ac.uk>
To: exim-userslists.cam.ac.uk
Subject: Re: Hoo boy...
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Answering my mail didn't take up all the time till my meeting this
morning, leaving me time to develop a slightly different patch to the
one posted by Jawaid Bazyar. Here are versions for 1.62 and 1.651:
---snip--------------------------------------------------------------------
*** exim-1.62/src/parse.c Wed Apr 16 14:34:49 1997
--- parse.c Tue Jul 22 09:41:50 1997
***************
*** 1037,1042 ****
--- 1037,1048 ----
int extracted;
FILE *f;
+ if (len-9 > 255)
+ {
+ *error = "included file name is too long";
+ return -1;
+ }
+
strncpy(filename, s+9, len-9);
filename[len-9] = 0;
---snip--------------------------------------------------------------------
*** exim-1.651/src/parse.c Fri Jul 4 16:33:56 1997
--- parse.c Tue Jul 22 09:31:54 1997
***************
*** 1056,1061 ****
--- 1056,1067 ----
*error = string_sprintf("file name missing after :include:");
return -1;
}
+
+ if (flen > 255)
+ {
+ *error = string_sprintf("included file name \"%s\" is too long", t);
+ return -1;
+ }
strncpy(filename, t, flen);
filename[flen] = 0;
---snip--------------------------------------------------------------------
--
Philip Hazel University Computing Service,
ph10cus.cam.ac.uk New Museums Site, Cambridge CB2 3QG,
P.Hazelucs.cam.ac.uk England. Phone: +44 1223 334714
