BSD, Linux, Cisco, Web, Palm, other unix RUSSIAN version Search:  Выпущена CD-версия OpenNet.RU для оффлайн просмотра. Для формирования заказа - перейдите по ссылке. SOFT - Unix Software catalog LINKS - Unix resources TOPIC - Articles from usenet DOCUMENTATION - Unix guides News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

X-RDate: Thu, 21 May 1998 16:28:44 +0600 (YEKST)
X-UIDL: 35317d340000029e
Date: Sun, 17 May 1998 16:08:53 -0700
From: Jiva DeVoe <jiva@devware.com>
To: linux-security@redhat.com
Subject: [linux-security] Fw:      simple kde exploit fix

And, here's a fix.
-----Original Message-----
From: David Zhao <dzhao@LURK.KELLOGG.NWU.EDU>
To: BUGTRAQ@NETSPACE.ORG <BUGTRAQ@NETSPACE.ORG>
Date: Sunday, May 17, 1998 3:00 PM
Subject: simple kde exploit fix


>in kdebase/kscreensaver/kscreensave.cpp:
>
>change:
>line 18:        strcpy( buffer, getenv("HOME") );
>                to
>                strncpy( buffer, getenv("HOME"), 256);
>
>and
>line 34:        strcpy( buffer, KApplication::kde_bindir() );
>                to
>                strncpy( buffer, KApplication::kde_bindir(), 256 );
>                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>        This one probably isn't crucial, but it's good programming anyway
>
>this fixes the exploit given and is a classic stack overflow exploit, the
>thing is KDE uses the getenv function multiple times to get the home
>directory (in other kde suites and programs as well) instead of getting it
>from the passwd file, strange. Most are not vulnerable cause they aren't
>suid, but it still seems to be bad programming since you can change the
>environment from the shell. The only suid programs are klock, kppp, and
>the *.kss files, I haven't checked the kss programs for bugs yet, but this
>will fix the klock.
>
>==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-
==
>| David Zhao       UNIX Systems Admininstrator         |  Live Free or DIE
|
>| Kellogg School of Management                         |   | | |\  | | \ /
|
>| ICQ Internet ID: 7892139                             |   | | | \ | |  X
|
>| Work Ph: (847) 467-3015  Pager: (847) 205-8674       |   |_| |  \| | / \
|
>|
>| "Sometimes I think I'm stupid, other times I just am"|
>|                                               -- Dennis Kiilerich
>===========================================================================
==
>

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Быстрая навигация по сайту __________________ КАТАЛОГИ: Каталог программного обеспечения Каталог ссылок на unix ресурсы Каталог тематических статей Архив документации Советы, заметки MAN - Системные руководства __________________ НОВОСТИ: Новости OpenNews LastSoft - Свежий софт Обзоры ПО с freshmeat Проблемы безопасности Новости с других сайтов __________________ ОБЩЕНИЕ: Форум/Конферения _______________ МИНИ-ПОРТАЛЫ: CISCO.opennet.ru BSD.opennet.ru LINUX.opennet.ru SOLARIS.opennet.ru WEB.opennet.ru - web-технологии SECURITY.opennet.ru PALM.opennet.ru - карманные ПК __________________ НАВИГАЦИЯ: Навигация по ключевым словам Системы ПОИСКА __________________ РАЗНОЕ: ЦУП - Центр Управления Проектом Добавление в каталоги Закладки Добавить в закладки Created 1996-2003 by Maxim Chirkov   Добавить, Реклама, Вебмастеру, ЦУП, ГИД

Интерреклама. Интернет