Re: setuid/setgid binaries contained in the Debian repository.
On Sat, 2 Aug 2003 20:48:26 -0400, Matt Zimmerman <mdz@debian.org> said:
> That's nice. angband links with every library on the planet,
> including X11. This should be easy.
> [...about 2 minutes later...]
> Even easier than I thought.
> mizar:[...ity/angband/angband-291/src] tail +81 main.c | head -30
> static void init_stuff(void) {
> char path[1024];
>> if defined(AMIGA) || defined(VM)
> /* Hack -- prepare "path" */ strcpy(path, "Angband:");
>> else /* AMIGA / VM */
> cptr tail;
> /* Get the environment variable */ tail =
> getenv("ANGBAND_PATH");
> /* Use the angband_path, or a default */ strcpy(path, tail ?
> tail : DEFAULT_PATH);
> /* Hack -- Add a path separator (only if needed) */ if
> (!suffix(path, PATH_SEP)) strcat(path, PATH_SEP);
>> endif /* AMIGA / VM */
> /* Initialize */ init_file_paths(path);
>>
> mizar:[...ity/angband/angband-291/src] ANGBAND_PATH=`perl -e 'print
> "A" x 1050'` gdb /usr/games/angband GNU gdb
> 5.3.90_2003-06-29-cvs-debian Copyright 2003 Free Software
> Foundation, Inc. GDB is free software, covered by the GNU General
> Public License, and you are welcome to change it and/or distribute
> copies of it under certain conditions. Type "show copying" to see
> the conditions. There is absolutely no warranty for GDB. Type
> "show warranty" for details. This GDB was configured as
> "i386-linux"...(no debugging symbols found)... (gdb) r Starting
> program: /usr/games/angband (no debugging symbols found)...(no
> debugging symbols found)... (no debugging symbols found)...(no
> debugging symbols found)... (no debugging symbols found)...(no
> debugging symbols found)... (no debugging symbols found)...(no
> debugging symbols found)... (no debugging symbols found)...(no
> debugging symbols found)... (no debugging symbols found)...
> Program received signal SIGSEGV, Segmentation fault. 0x41414141 in
> ?? ()
> I'd be happy if you would check your package for trivial security
> exploits before uploading it to Debian.
>> Why do we need policy to tell us to do what you suggest are good,
>> common sense things?
> As the maintainer of a package containing a setgid program with a
> glaring security hole, perhaps you can tell me.
Heh. You should look at what is in the current version:
======================================================================
#ifndef FIXED_PATHS
/* Get the environment variable */
tail = getenv("ANGBAND_PATH");
#endif /* FIXED_PATHS */
/* Use the angband_path, or a default */
my_strcpy(path, tail ? tail : DEFAULT_PATH, sizeof(path));
/* Make sure it's terminated */
path[511] = '\0';
/* Hack -- Add a path separator (only if needed) */
if (!suffix(path, PATH_SEP)) my_strcat(path, PATH_SEP, sizeof(path));
#endif /* AMIGA / VM */
/* Initialize */
init_file_paths(path);
----------------------------------------------------------------------
/*
* The my_strcpy() function copies up to 'bufsize'-1 characters from 'src'
* to 'buf' and NUL-terminates the result. The 'buf' and 'src' strings may
* not overlap.
*
* my_strcpy() returns strlen(src). This makes checking for truncation
* easy. Example: if (my_strcpy(buf, src, sizeof(buf)) >= sizeof(buf)) ...;
*
* This function should be equivalent to the strlcpy() function in BSD.
*/
size_t my_strcpy(char *buf, const char *src, size_t bufsize)
{
size_t len = strlen(src);
size_t ret = len;
/* Paranoia */
if (bufsize == 0) return ret;
/* Truncate */
if (len >= bufsize) len = bufsize - 1;
/* Copy the string and terminate it */
(void)memcpy(buf, src, len);
buf[len] = '\0';
/* Return strlen(src) */
return ret;
}
======================================================================
Superficial audits are probably worse rthan none; they tend to
raise false senses of security.
manoj
--
Nature gave man two ends--one to sit on and one to think with. Ever
since then man's success or failure has been dependent on the one he
used most. George R. Kirkpatrick
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: