Re: Linux GNOME exploit - PATCH!

From: Yo Ric Dude <ricdude toad net>
To: andersen xmission com
CC: Elliot Lee <sopwith redhat com>, John Kodis <kodis jagunet com>, gnome-devel-list gnome org
Subject: Re: Linux GNOME exploit - PATCH!
Date: Tue, 28 Sep 1999 20:21:13 -0400

Hey folks, please review patch below for the esdlib 
exploit.  x11amp is a popular program to install
as setuid root for real-time priority, and other
esdified audio apps may seek the same performance 
increase.  It's fixed easily enough.  Is this 
sufficient?

	* esdlib.c (esd_connect_tcpip): buffer overflow exploit plugged
	BugTraq's example was 80 bytes long, make the buffer bigger than
	that, and actually check its size before doing the strncpy.

Index: esdlib.c
===================================================================
RCS file: /cvs/gnome/esound/esdlib.c,v
retrieving revision 1.63
diff -u -b -B -p -r1.63 esdlib.c
--- esdlib.c    1999/09/04 00:16:38     1.63
+++ esdlib.c    1999/09/29 00:10:03
@@ -425,7 +425,7 @@ esd_connect_tcpip(const char *host)
     int socket_out = -1;
     int curstate = 1;
     char default_host[] = "0.0.0.0";
-    char connect_host[64];
+    char connect_host[128] = "0.0.0.0";
     int port = ESD_DEFAULT_PORT;
     unsigned int host_div = 0;
   
@@ -437,6 +437,12 @@ esd_connect_tcpip(const char *host)
     
        /* get host */
        if ( host_div ) {
+           if ( host_div >= 128 ) {
+               fprintf( stderr, "ESPEAKER host name too long: \"%s\"!\n", 
+                        espeaker );
+               return -1;
+           }
+
            strncpy( connect_host, espeaker, host_div );
            connect_host[ host_div ] = '\0';
        } else {

> > If the problem exists at all, it's a Mandrake-specific packaging error,
> > not anything to do with GNOME. nethack is not part of Red Hat Linux, does
> > not use GNOME or esound, and is not installed s[ug]id root in the
> > powertools package.
>
> Gnomehack does use gnomelibs. Never tried Gnomehack, Elliot? Shame on
> you. :) Anyway, it should be setgid games (to give it permission to
> write high scores in /var/lib/games/gnomehack per the ancient nethack
> way of doing things). If it is setgid root, that is somebody elses
> fault, not mine. The way I put gnomehack together, the worst that could
> happen on a buffer overflow would be that somebody gets to fake a high
> score.

-- ebm
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
|  __                         a.k.a. Eric B. Mitchell |
|  |_) .  _  _|      _|  _        ricdude@toad.net    |
|  | \ ( (_ (_| (_| (_| (/_    www.toad.net/~ricdude  |
| How's My Programming?   Call:  1 - 800 - DEV - NULL |
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+

Follow-Ups:
- Re: Linux GNOME exploit - PATCH!
  - From: Owen Taylor

References:
- Linux GNOME exploit
  - From: John Kodis
- Re: Linux GNOME exploit
  - From: Elliot Lee
- Re: Linux GNOME exploit
  - From: Erik Andersen

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]