On Fri, Sep 05, 2003 at 04:26:55PM +0100, Thomas Horsten wrote: > Hi Frank, > > On Fri, 5 Sep 2003, Frank Lichtenheld wrote: > > > char path[256]; > > sprintf( path, "some string/%s", packagename); > > > > There are no further checks as I can see. I'm not very experienced in C > > programming and don't know much about the details of exploiting buffer > > overflows or the like... > > > > Is such code (away from the fact that it can easily lead to segfaults) a > > security problem? > > This depends on the context of the code. Generally speaking: > > If the data (packagename, in your case), comes from an insecure source, > e.g. a command line argument or a value otherwise provided by the user, it > may be possible to craft a string that will overflow the stack in such a > way that an embedded piece of assembler code will be executed.
Hmm, the input in this case are /var/lib/dpkg/status and theoretically /var/lib/apt/lists/*_Packages but this is broken anyway because the program has a hardcoded /var/state/apt in it... > This code will be run with the same privileges that your program has. > Obviously, if the program is run from a normal shell by a normal user, and > it is not SetUID, this would normally not be considered a security issue. > But if the program is SetUID or SetGID, this would allow the attacker to > e.g. start a shell (by calling exec) with those privileges. The program is installed as /usr/sbin/magpie but can be called by any user. The question that remains is: Does this require a security update for the woody version of the package? Or should I just try to get this fixed in the next release (of the package)? Gruesse, -- Frank Lichtenheld <[EMAIL PROTECTED]> www: http://www.djpig.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]