|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: corecode
corecode.ath.cxDate: Tue Dec 18 2001 - 07:54:34 CST
>Submitter-Id: current-users
>Originator: corecode
>Organization:
>Confidential: no
>Synopsis: wmcube-gdk is vulnerable to a local exploit
>Severity: critical
>Priority: high
>Category: ports
>Class: sw-bug
>Release: FreeBSD 4.4-STABLE i386
>Environment:
System: FreeBSD elevation.zuhause.stoert.net 4.4-STABLE FreeBSD 4.4-STABLE #3: Thu Dec 13 16:08:02 CET 2001 corecodeelevation.zuhause.stoert.net:/usr/obj/usr/src/sys/ELEVATION i386
>Description:
wmcube-gdk is vulnerable to a local exploit resulting in priority elevation (to gid kmem)
see: http://www.securityfocus.com/archive/1/246033
>How-To-Repeat:
make & install wmcube-gdk
>Fix:
there might still be some problems as i didn't have much time to audit the source code.
better than nothing
diff -ruN wmcube-gdk.old/Makefile wmcube-gdk/Makefile
--- wmcube-gdk.old/Makefile Tue Dec 4 02:00:43 2001
+++ wmcube-gdk/Makefile Tue Dec 18 14:41:39 2001
-7,6 +7,7
PORTNAME= wmcube
PORTVERSION= 0.98p1
+PORTREVISION= 1
CATEGORIES= sysutils windowmaker
MASTER_SITES= http://www.ne.jp/asahi/linux/timecop/software/
PKGNAMESUFFIX= -gdk
diff -ruN wmcube-gdk.old/files/patch-wmcube.c wmcube-gdk/files/patch-wmcube.c
--- wmcube-gdk.old/files/patch-wmcube.c Thu Aug 30 06:24:25 2001
+++ wmcube-gdk/files/patch-wmcube.c Tue Dec 18 14:38:42 2001
-1,10 +1,73
---- wmcube.c.orig Thu Aug 16 13:04:38 2001
-+++ wmcube.c Thu Aug 16 13:05:00 2001
- -38,7 +38,6
- #include <math.h>
+--- wmcube.c.orig Tue Aug 28 12:08:13 2001
++++ wmcube.c Tue Dec 18 14:37:25 2001
+ -39,7 +39,6
+ #ifdef LINUX
/* forgotten includes */
-#include <getopt.h>
#include <dirent.h>
+ #endif
- #include <sys/wait.h>
+ -778,7 +777,7
+ newx -= CHAR_WIDTH;
+ }
+
+- sprintf(buf, "%02i%%", num);
++ snprintf(buf, 5, "%02i%%", num);
+ for (i = 0; (c = buf[i]); i++) {
+ if (c == '%')
+ copy_xpm_area(60, 0, 7, 9, newx, y);
+ -1250,7 +1249,7
+ exit(0);
+ }
+
+- fscanf(fp, "%s", tmp);
++ fscanf(fp, "%63s", tmp);
+
+ if (strcmp(tmp, "WMCUBE_COORDINATES") != 0) {
+ printf
+ -1259,7 +1258,7
+ exit(0);
+ }
+
+- fscanf(fp, "%s", tmp);
++ fscanf(fp, "%63s", tmp);
+ counter = atoi(tmp);
+
+ while ((strcmp(tmp, "WMCUBE_LINES") != 0)
+ -1280,7 +1279,7
+ fclose(fp);
+ exit(0);
+ }
+- fscanf(fp, "%s", tmp);
++ fscanf(fp, "%63s", tmp);
+
+ if (feof(fp)) {
+ printf
+ -1398,7 +1397,7
+ char cpuid[6];
+ char check_cpu[6];
+
+- sprintf(check_cpu, "cpu%d", which_cpu);
++ snprintf(check_cpu, 6, "cpu%d", which_cpu);
+
+ if ((fp = fopen("/proc/stat", "rb")) == NULL) {
+ perror("/proc/stat required for this system");
+ -1409,7 +1408,7
+ return 0;
+
+ for (i = -2; i < which_cpu; i++) {
+- fscanf(fp, "%s", cpuid);
++ fscanf(fp, "%5s", cpuid);
+ }
+
+ if (strcmp(check_cpu, cpuid) != 0) {
+ -1431,7 +1430,7
+ fp = fopen("/proc/stat", "rt");
+
+ for (i = -2; i < which_cpu; i++) {
+- fscanf(fp, "%s %d %d %d %d", cpuid, &cpu, &nice, &system, &idle);
++ fscanf(fp, "%5s %d %d %d %d", cpuid, &cpu, &nice, &system, &idle);
+ }
+
+ fclose(fp);
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]