tags 475736 - security
severity 475736 minor
thanks
Hi Helmut,
* Helmut Grohne <[EMAIL PROTECTED]> [2008-04-12 18:12]:
> tss has a setuid binary. The source code is src/main.c:
>
> sprintf(glob_string, "%s/.tss/*", getenv("HOME"));
>
> (before dropping setuid, needless to say)Actually I am pretty sure this one is not exploitable. For sure you are able to corrupt memory here and overwriting EIP but this will likely segfault in glob() one line after the line you quoted. Thus removing the security tag and setting the severity to minor. However your bug report was really useful cause we realized that the privilege dropping is totally broken in tss and it is possible to read abitrary files via tss. Steve opened another bug for this #475747. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpSzuXL1ouPo.pgp
Description: PGP signature
