[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#158637: [dendler@idefense.com: iDEFENSE Security Advisory: Linuxconf locally exploitable buffer overflow]

tags 158637 + patch
thanks

As I stated, debian's linuxconf package should not be vulnerable, as it
is not installed setuid root.

Nevertheless, I've backported the patch from the latest upstream
version, which makes the exploit[1] fail even if you happen to set
linuxconf setuid root.

cheers,

Michael

-- 
http://www.securiteam.com/exploits/5CP0F0K8BW.html

diff -Naur linuxconf-1.28r3/translate/translat.cc linuxconf-1.28r4.orig/translate/translat.cc
--- linuxconf-1.28r3/translate/translat.cc	1999-12-13 04:18:48.000000000 +0100
+++ linuxconf-1.28r4.orig/translate/translat.cc	2002-08-19 20:45:48.000000000 +0200
@@ -85,6 +85,7 @@
 	}
 }
 static char *pterr = NULL;
+#define MAXERR_SIZE 2000
 /*
 	Print an error message and increment the err counter
 */
@@ -92,7 +93,7 @@
 {
 	va_list list;
 	va_start (list,msg);
-	pterr += vsprintf (pterr,msg,list);
+	pterr += vsnprintf (pterr,MAXERR_SIZE,msg,list);
 	va_end (list);
 }
 
@@ -196,13 +197,13 @@
 	Load the message dictionnary.
 	Terminate the application if any error.
 */
-int translat_load (
+static int translat_loaderr (
 	const char *basepath,	// Directory holding dictionnaries
 	const char *basename,	// base name of the dictionnary
 							// the language selection will supply
 							// the extension.
 	const char *lang,		// Suffix for the language
-	char *errmsg)			// Will contain the error message
+	char errmsg[MAXERR_SIZE])			// Will contain the error message
 {
 	int ret = -1;
 	errmsg[0] = '\0';
@@ -250,8 +251,8 @@
 							// the extension.
 	const char *lang)
 {
-	char errmsg[2000];
-	if (translat_load (basepath,basename,lang,errmsg)==-1){
+	char errmsg[MAXERR_SIZE];
+	if (translat_loaderr (basepath,basename,lang,errmsg)==-1){
 		fprintf (stderr,"%s",errmsg);
 		exit (-1);
 	}
@@ -298,10 +299,10 @@
 	}
 	const char *lang = deflang;
 	const char *lang_env = getenv(envlangvar);
-	if (lang_env != NULL) lang = lang_env;
+	if (lang_env != NULL && strlen(lang_env)<=5) lang = lang_env;
 
-	char errmsg[2000];
-	if (translat_load (basepath,basename,lang,errmsg)==-1){
+	char errmsg[MAXERR_SIZE];
+	if (translat_loaderr (basepath,basename,lang,errmsg)==-1){
 		if (strcmp(lang,"eng")!=0){
 			bool showerr = getenv ("SHOWDICERR")!=NULL;
 			if (showerr){
Reply to: