Re: Seeking sponsors for 3 packages
On Tue, Aug 17, 2004 at 06:32:30PM -0700, Ken Bloom wrote:
>
> The third was written by someone else, but it's very useful:
> Package: svp
> Version: 0.2-3
> Description: An SVGAlib based viewer for PostScript and PDF files
> svp is an SVGAlib based GhostScript frontend, allowing you to view
> PostScript and PDF files on your virtual consoles.
>
> All of my packages are at http://wwwcsif.cs.ucdavis.edu/~bloom/
I will sponsor this package when it has been fixed to avoid a local
root attack.
The binary is installed setuid(root), and contains the following
code:
snprintf(command, 255, "gs -dBATCH -dNOPAUSE -dSAFER -sDEVICE=nullpage \"%s\" 2>&1", filename);
f=popen(command, "r");
That is it invokes a copy of 'gs' without dropping root privileges and
without specifying the path to gs. This allows a local user to setup
a trojan gs command and use it to gain root...
Appropriate solutions could be forking and dropping privileges
temporarily, dropping the +s bit, or something else.
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
Reply to: