Bug#118218: leksbot: insecure and unnecessary setuid-root binary

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#118218: leksbot: insecure and unnecessary setuid-root binary
From: Maurice Massar <massar@unix-ag.uni-kl.de>
Date: Sun, 04 Nov 2001 10:39:13 +0100
Message-id: <[🔎] 200111040939.fA49dEkD031562@sushi.unix-ag.uni-kl.de>
Reply-to: Maurice Massar <massar@unix-ag.uni-kl.de>, 118218@bugs.debian.org

Package: leksbot
Version: 1.2-3
Severity: critical
Tags: security
Justification: root security hole

hi,

I just found this package while searching for setuid-root binarys:
-rwsr-xr-x    1 root     root         4060 Aug 29 21:29 /usr/bin/KATAXWR

compiling the packages from sources resulsts in this:
gcc kataxwr.c -O2 -o KATAXWR
/tmp/cc870UKD.o: In function `main':
/tmp/cc870UKD.o(.text+0xd1): the `gets' function is dangerous and should not be used.

need I to say more? ......

taking a look at the changelog:
> leksbot (1.2-1) unstable; urgency=low
[...]
>   * Set KATAXWR setuid so that every user can edit the lexikon Index

if we want all users to be able to write to this index,
better make that file world-writeable.


-- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux sushi 2.4.5 #1 SMP Sat Jun 9 23:32:52 CEST 2001 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages leksbot depends on:
ii  libc6                         2.2.4-1    GNU C Library: Shared libraries an

Reply to:

Follow-Ups:
- Bug#118218: marked as done (leksbot: insecure and unnecessary setuid-root binary)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: Inconsistent spelling of QT and GNOME
Next by Date: Re: Inconsistent spelling of QT and GNOME
Previous by thread: Re: Inconsistent spelling of QT and GNOME
Next by thread: Bug#118218: marked as done (leksbot: insecure and unnecessary setuid-root binary)
Index(es):
- Date
- Thread