mailing list archives
Re: [MSY] S(ecure)Locate heap corruption vulnerability
From: Olaf Kirch <okir () CALDERA DE>
Date: Tue, 28 Nov 2000 11:32:05 +0100
On Sun, Nov 26, 2000 at 11:38:25PM +0100, Michel Kaempf wrote:
The author, Kevin Lindsay, was contacted and confirmed Secure Locate
v2.3 is not affected by the vulnerability described in this advisory.
Every Secure Locate version, from 1.4 (included) to 2.2 (included), is
affected by the problem, and vulnerable to the exploit described below.
It's still vulnerable to other problems, however:
$ slocate -U /dev -o $PWD/database
$ ls -l database
-rw-r----- 1 okir slocate 3137 Nov 28 10:55 database
IMO, slocate should drop its privilege when given any of the "fishy"
options such as database locations, request to update the database,
I do not believe that there's much you can do with group slocate privilege
except getting read access to the entire database, and discover that
your co-worker is hiding S&M GIFs somewhere in his home directory (gasp!).
That is, at least if your slocate binary and database directory are
not writable by group slocate. If they are, you're in trouble.
Still, being called "secure" locate it should probably be a little
less liberal with its privileges.
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.