Package: libsafe
Version: 2.0-16-6
Severity: serious
Libsafe 2.0-16-6 seem to not stop it's own, attached to sources, example
exploits, which would make it quite useless if confirmed. That would
mean that it gives false feeling of security (in matter of strcmp and
related functions exploiting) when it fails to protect users from it.
Perhaps its even a grave bug since such protection actually is the main
and only function on that lib.
Please verifie that possible bug, Im newbie in terms of reporting bugs
to Debian project.
Also libsafe seem to interfear with other programs, like in my prvious
bug report Bug#345728
[EMAIL PROTECTED]:~/cre.os/libsafe/libsafe-2.0-16/exploits$ ./t1
This program tries to use strcpy() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
Libsafe version 2.0.16
Detected an attempt to write across stack boundary.
Terminating /home/raf256/cre.os/libsafe/libsafe-2.0-16/exploits/t1.
uid=2560 euid=2560 pid=94
Call stack:
0xb7f2141c /lib/libsafe.so.2.0.16
0xb7f21510 /lib/libsafe.so.2.0.16
0x80485a3 /home/raf256/cre.os/libsafe/libsafe-2.0-16/exploits/t1
0x80485c9 /home/raf256/cre.os/libsafe/libsafe-2.0-16/exploits/t1
0xb7dd3eab /lib/tls/i686/cmov/libc-2.3.5.so
Overflow caused by strcpy()
Killed
Ok, that one worked, but:
[EMAIL PROTECTED]:~/cre.os/libsafe/libsafe-2.0-16/exploits$ ./t6
This program tries to use scanf() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-3.00$ whoami
raf256
sh-3.00$ pwd
/home/raf256/cre.os/libsafe/libsafe-2.0-16/exploits
sh-3.00$ exit
exit
Same if I build the example by hand or via debuild.
I use grsecurity kernel
Linux lore.raf256 2.6.14.3-grsec-d+gc-k8reg-pg4 #1 PREEMPT
on amd64 but in 32bit mode
--
RafaĆ Maj
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
