Local root exploit with kmod and modutils > 2.1.121

To: wakkerma@debian.org
Cc: debian-devel@lists.debian.org
Subject: Local root exploit with kmod and modutils > 2.1.121
From: André Dahlqvist <andre@beta.telenordia.se>
Date: Mon, 13 Nov 2000 13:36:40 +0100
Message-id: <[🔎] 20001113133640.A3743@beta.telenordia.se>

Wichert,

Keith Owens, the author of modutils, just sent this security annoucement
to the linux-kernel mailing list:

----- Forwarded message from Keith Owens <kaos@ocs.com.au> -----

Date:	Mon, 13 Nov 2000 21:57:08 +1100
To:	linux-kernel@vger.kernel.org
X-Mailer: exmh version 2.1.1 10/15/1999
From:	Keith Owens <kaos@ocs.com.au>
Subject: Local root exploit with kmod and modutils > 2.1.121

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain; charset=us-ascii

A local root exploit has been found using kernels compiled with kmod
and modutils > 2.1.121.  Kernels without kmod and systems using
modutils 2.1.121 are not affected.

Patch against modutils 2.3.19, it should fit any 2.3 modutils.

Index: 19.7/util/meta_expand.c
- --- 19.7/util/meta_expand.c Sun, 10 Sep 2000 12:56:40 +1100 kaos (modutils-2.3/10_meta_expan 1.4 644)
+++ 19.7(w)/util/meta_expand.c Mon, 13 Nov 2000 21:19:41 +1100 kaos (modutils-2.3/10_meta_expan 1.4 644)
@@ -156,12 +156,8 @@ static int glob_it(char *pt, GLOB_LIST *
  */
 int meta_expand(char *pt, GLOB_LIST *g, char *base_dir, char *version)
 {
- -	FILE *fin;
- -	int len = 0;
- -	char *line = NULL;
 	char *p;
 	char tmpline[PATH_MAX + 1];
- -	char tmpcmd[PATH_MAX + 11];
 
 	g->pathc = 0;
 	g->pathv = NULL;
@@ -277,38 +273,6 @@ int meta_expand(char *pt, GLOB_LIST *g, 
 		/* Only "=" remaining, should be module options */
 		split_line(g, pt, 0);
 		return 0;
- -	}
- -
- -	/*
- -	 * Last resort: Use "echo"
- -	 */
- -	sprintf(tmpline, "%s%s", (base_dir ? base_dir : ""), pt);
- -	sprintf(tmpcmd, "/bin/echo %s", tmpline);
- -	if ((fin = popen(tmpcmd, "r")) == NULL) {
- -		error("Can't execute: %s", tmpcmd);
- -		return -1;
- -	}
- -	/* else */
- -
- -	/*
- -	 * Collect the result
- -	 */
- -	while (fgets(tmpcmd, PATH_MAX, fin) != NULL) {
- -		int l = strlen(tmpcmd);
- -
- -		line = (char *)xrealloc(line, len + l + 1);
- -		line[len] = '\0';
- -		strcat(line + len, tmpcmd);
- -		len += l;
- -	}
- -	pclose(fin);
- -
- -	if (line) {
- -		/* Ignore result if no expansion occurred */
- -		strcat(tmpline, "\n");
- -		if (strcmp(tmpline, line))
- -			split_line(g, line, 0);
- -		free(line);
 	}
 
 	return 0;

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: Exmh version 2.1.1 10/15/1999

iD8DBQE6D8kEi4UHNye0ZOoRAmVTAKCktbi9DI5t0sj8wd1/vjLtgwVW6QCgnO0L
mVbPskoIGSSyTE8I9K7FcAg=
=Z1/L
-----END PGP SIGNATURE-----

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/


----- End forwarded message -----

-- 

André Dahlqvist <andre@beta.telenordia.se>

Reply to:

Follow-Ups:
- Re: Local root exploit with kmod and modutils > 2.1.121
  - From: Wichert Akkerman <wichert@cistron.nl>
- Re: Local root exploit with kmod and modutils > 2.1.121
  - From: Wichert Akkerman <wichert@cistron.nl>

Prev by Date: ITP: xfonts-bolkhov, xfonts-cronyx
Next by Date: character codes for terminals
Previous by thread: ITP: xfonts-bolkhov, xfonts-cronyx
Next by thread: Re: Local root exploit with kmod and modutils > 2.1.121
Index(es):
- Date
- Thread