Hi Mohammed, * Mohammed Sameer <[EMAIL PROTECTED]> [2008-04-14 14:33]: > On Mon, Apr 14, 2008 at 02:26:47PM +0200, Nico Golde wrote: > > Hi Mohammed, > > * Mohammed Sameer <[EMAIL PROTECTED]> [2008-04-13 18:18]: > > > I think I'm missing something. > > > > > > Why do we need to make it not suid if the daemon drops it (-6 upload) ? > > > > Cause it does drop it via seteuid and as long as the buffer > > overflow exists possible injected shellcode could do > > seteuid(0) to get it back. > > aha! > > I sent a patch earlier as an attempt to fix the buffer overflow vulnerability. > I'd appreciate someone reviewing it. I can do an upload if it's OK.
Just saw it and I have to admit that I'm not really happy with it. Please just let the code as it is now and used snprintf instead with a length of sizeof(tmp). Please also check the other buffers. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpfrVMHCJRtI.pgp
Description: PGP signature