tags 158637 + patch thanks As I stated, debian's linuxconf package should not be vulnerable, as it is not installed setuid root.
Nevertheless, I've backported the patch from the latest upstream version, which makes the exploit[1] fail even if you happen to set linuxconf setuid root. cheers, Michael -- http://www.securiteam.com/exploits/5CP0F0K8BW.html
diff -Naur linuxconf-1.28r3/translate/translat.cc linuxconf-1.28r4.orig/translate/translat.cc --- linuxconf-1.28r3/translate/translat.cc 1999-12-13 04:18:48.000000000 +0100 +++ linuxconf-1.28r4.orig/translate/translat.cc 2002-08-19 20:45:48.000000000 +0200 @@ -85,6 +85,7 @@ } } static char *pterr = NULL; +#define MAXERR_SIZE 2000 /* Print an error message and increment the err counter */ @@ -92,7 +93,7 @@ { va_list list; va_start (list,msg); - pterr += vsprintf (pterr,msg,list); + pterr += vsnprintf (pterr,MAXERR_SIZE,msg,list); va_end (list); } @@ -196,13 +197,13 @@ Load the message dictionnary. Terminate the application if any error. */ -int translat_load ( +static int translat_loaderr ( const char *basepath, // Directory holding dictionnaries const char *basename, // base name of the dictionnary // the language selection will supply // the extension. const char *lang, // Suffix for the language - char *errmsg) // Will contain the error message + char errmsg[MAXERR_SIZE]) // Will contain the error message { int ret = -1; errmsg[0] = '\0'; @@ -250,8 +251,8 @@ // the extension. const char *lang) { - char errmsg[2000]; - if (translat_load (basepath,basename,lang,errmsg)==-1){ + char errmsg[MAXERR_SIZE]; + if (translat_loaderr (basepath,basename,lang,errmsg)==-1){ fprintf (stderr,"%s",errmsg); exit (-1); } @@ -298,10 +299,10 @@ } const char *lang = deflang; const char *lang_env = getenv(envlangvar); - if (lang_env != NULL) lang = lang_env; + if (lang_env != NULL && strlen(lang_env)<=5) lang = lang_env; - char errmsg[2000]; - if (translat_load (basepath,basename,lang,errmsg)==-1){ + char errmsg[MAXERR_SIZE]; + if (translat_loaderr (basepath,basename,lang,errmsg)==-1){ if (strcmp(lang,"eng")!=0){ bool showerr = getenv ("SHOWDICERR")!=NULL; if (showerr){