Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1997_4

Bugtraq archives for 4th quarter (Oct-Dec) 1997: Re: Possible SERIOUS bug in open()?

Re: Possible SERIOUS bug in open()?

Mark E. Mallett (memMV.MV.COM)
Fri, 24 Oct 1997 23:09:34 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Savochkin Andrey Vladimirovich: "Re: SECURITY: groff, rhs-printfilters, tetex, metamail fixes"
Previous message: Charles M. Hannum: "More info on SPARC CPU bug"
In reply to: Aleph One: "Re: Possible SERIOUS bug in open()?"
Next in thread: Tim Newsham: "Re: Possible SERIOUS bug in open()?"

>
> In muc.lists.freebsd.security, you wrote:
> >  fd = open("/dev/rsd0a", -1, 0);

In fact it looks like any mode value with the bottom 2 bits on will
work.  e.g.  -1, 3, 7, etc.

> +       if(!flags)
> +               flags++;
> +

This will only cover the -1 case.   Perhaps also changing:

>         flags = FFLAGS(uap->flags);

to

>         flags = FFLAGS(uap->flags) & 3;

and then the zero test as above?

-mm-

Next message: Savochkin Andrey Vladimirovich: "Re: SECURITY: groff, rhs-printfilters, tetex, metamail fixes"
Previous message: Charles M. Hannum: "More info on SPARC CPU bug"
In reply to: Aleph One: "Re: Possible SERIOUS bug in open()?"
Next in thread: Tim Newsham: "Re: Possible SERIOUS bug in open()?"