On Wed, Aug 18, 2004 at 09:14:27AM +0100, Steve Kemp wrote: > On Tue, Aug 17, 2004 at 06:32:30PM -0700, Ken Bloom wrote: > > The third was written by someone else, but it's very useful: > > Package: svp > > Version: 0.2-3 > > Description: An SVGAlib based viewer for PostScript and PDF files > > svp is an SVGAlib based GhostScript frontend, allowing you to view > > PostScript and PDF files on your virtual consoles. > > All of my packages are at http://wwwcsif.cs.ucdavis.edu/~bloom/ > I will sponsor this package when it has been fixed to avoid a local > root attack. > The binary is installed setuid(root), and contains the following > code: > snprintf(command, 255, "gs -dBATCH -dNOPAUSE -dSAFER -sDEVICE=nullpage \"%s\" 2>&1", filename); > f=popen(command, "r"); > That is it invokes a copy of 'gs' without dropping root privileges and > without specifying the path to gs. This allows a local user to setup > a trojan gs command and use it to gain root... > Appropriate solutions could be forking and dropping privileges > temporarily, dropping the +s bit, or something else. Do we really want to be adding to the number of svgalib-based programs in the archive? Surely this isn't the only security problem lurking... -- Steve Langasek postmodern programmer
Attachment:
signature.asc
Description: Digital signature