|
Bugtraq
mailing list archives
Re: Linux /usr/bin/gnuplot overflow
From: speed () LINUX DPILINK COM (Speed)
Date: Thu, 4 Mar 1999 20:04:49 -0500
It is interesting to note that the gnuplot on my system is NOT suid root
(nor have I modified the default installed settings). My version is 3.5
patchlevel 3.50.1.17 (i.e. very old). The distribution is Slackware.
I agree with xnec in that I can see no good reason to make it suid root.
Anyone know why this was done? Anytime a program is going to do this, a
full audit should be made - some people take the suid bit not seriously
enough.
Simply running strings against it should cause someone looking at that
output to feel a bit suspicious.
Granted, the suid bit might be placed by the distribution and not the
program's author.
Finally, thanks to xnec for providing BOTH the exploit and the fix which
is how it should be done on a full disclosure list.
- Speed_D
 By Date 
By Thread
Current thread:
- Re: Linux /usr/bin/gnuplot overflow Speed (Mar 04)
|
Intro
