Bug#158637: [dendler@idefense.com: iDEFENSE Security Advisory: Linuxconf locally exploitable buffer overflow]

Sat, 21 Sep 2002 07:48:46 -0500 

tags 158637 + patch
thanks

As I stated, debian's linuxconf package should not be vulnerable, as it
is not installed setuid root.

Nevertheless, I've backported the patch from the latest upstream
version, which makes the exploit[1] fail even if you happen to set
linuxconf setuid root.

cheers,

Michael

-- 
http://www.securiteam.com/exploits/5CP0F0K8BW.html

diff -Naur linuxconf-1.28r3/translate/translat.cc 
linuxconf-1.28r4.orig/translate/translat.cc
--- linuxconf-1.28r3/translate/translat.cc      1999-12-13 04:18:48.000000000 
+0100
+++ linuxconf-1.28r4.orig/translate/translat.cc 2002-08-19 20:45:48.000000000 
+0200
@@ -85,6 +85,7 @@
        }
 }
 static char *pterr = NULL;
+#define MAXERR_SIZE 2000
 /*
        Print an error message and increment the err counter
 */
@@ -92,7 +93,7 @@
 {
        va_list list;
        va_start (list,msg);
-       pterr += vsprintf (pterr,msg,list);
+       pterr += vsnprintf (pterr,MAXERR_SIZE,msg,list);
        va_end (list);
 }
 
@@ -196,13 +197,13 @@
        Load the message dictionnary.
        Terminate the application if any error.
 */
-int translat_load (
+static int translat_loaderr (
        const char *basepath,   // Directory holding dictionnaries
        const char *basename,   // base name of the dictionnary
                                                        // the language 
selection will supply
                                                        // the extension.
        const char *lang,               // Suffix for the language
-       char *errmsg)                   // Will contain the error message
+       char errmsg[MAXERR_SIZE])                       // Will contain the 
error message
 {
        int ret = -1;
        errmsg[0] = '\0';
@@ -250,8 +251,8 @@
                                                        // the extension.
        const char *lang)
 {
-       char errmsg[2000];
-       if (translat_load (basepath,basename,lang,errmsg)==-1){
+       char errmsg[MAXERR_SIZE];
+       if (translat_loaderr (basepath,basename,lang,errmsg)==-1){
                fprintf (stderr,"%s",errmsg);
                exit (-1);
        }
@@ -298,10 +299,10 @@
        }
        const char *lang = deflang;
        const char *lang_env = getenv(envlangvar);
-       if (lang_env != NULL) lang = lang_env;
+       if (lang_env != NULL && strlen(lang_env)<=5) lang = lang_env;
 
-       char errmsg[2000];
-       if (translat_load (basepath,basename,lang,errmsg)==-1){
+       char errmsg[MAXERR_SIZE];
+       if (translat_loaderr (basepath,basename,lang,errmsg)==-1){
                if (strcmp(lang,"eng")!=0){
                        bool showerr = getenv ("SHOWDICERR")!=NULL;
                        if (showerr){

Reply via email to