[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#118218: leksbot: insecure and unnecessary setuid-root binary

Package: leksbot
Version: 1.2-3
Severity: critical
Tags: security
Justification: root security hole


I just found this package while searching for setuid-root binarys:
-rwsr-xr-x    1 root     root         4060 Aug 29 21:29 /usr/bin/KATAXWR

compiling the packages from sources resulsts in this:
gcc kataxwr.c -O2 -o KATAXWR
/tmp/cc870UKD.o: In function `main':
/tmp/cc870UKD.o(.text+0xd1): the `gets' function is dangerous and should not be used.

need I to say more? ......

taking a look at the changelog:
> leksbot (1.2-1) unstable; urgency=low
>   * Set KATAXWR setuid so that every user can edit the lexikon Index

if we want all users to be able to write to this index,
better make that file world-writeable.

-- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux sushi 2.4.5 #1 SMP Sat Jun 9 23:32:52 CEST 2001 i686

Versions of packages leksbot depends on:
ii  libc6                         2.2.4-1    GNU C Library: Shared libraries an

Reply to: