Bugtraq mailing list archives

dip-3.3.7o security hole

From: ggajic () AFRODITA RCUB BG AC YU (Goran Gajic)
Date: Tue, 5 May 1998 13:28:21 +0200


Hi,

There is potencial security hole in dip-3.3.7o which is installed
suid root in Slackware 3.4 distribution (if selected). Just try this:
~> dip -k -l `perl -e 'print "a" x 2000'`
and you will get something like:

DIP: cannot open /var/lock/LCK..aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaa:No such file or directory
Segmentation fault

If you look dip source, main.c, or do strace, you will find that problem
is with sprintf, line 192:

     sprintf(buf, "%s/LCK..%s", _PATH_LOCKD, nam);

Here is obvious patch:

--- main.c      Tue Feb 13 03:03:35 1996
+++ main.c      Mon May  4 23:36:49 1998
@@ -189,7 +189,7 @@
     return;
   }

-  sprintf(buf, "%s/LCK..%s", _PATH_LOCKD, nam);
+  snprintf(buf, sizeof(buf), "%s/LCK..%s", _PATH_LOCKD, nam);

   fp = fopen(buf, "r");
   if (fp == (FILE *)0) {

Or chmod -s dip.

Goran Gajic

Current thread:

Lynx's 2.8 buffer overflow Michal Zalewski (May 03)
- [MORE] Lynx's 2.x buffers overflows Efrain Torres - Estudiante General (May 03)
- dip-3.3.7o security hole Goran Gajic (May 05)