Author: Andrey A. Chernov
Email: [EMAIL PROTECTED]
Message:
> Please don't post in Russian here...
Ok.
Bad news. I just check your very recent search.c v1.23 via WWW cvs and see that you
add tmplt= variable parsing there. Previous buffer overflow (I post the patch for)
overflows data segment and stack by some indirect tricks, but new tmplt= parsing allow
direct writing to the stack because template[] is on the stack of main(). Dangerous
code is:
sprintf(template,"%s%s%s",UDM_CONF_DIR,UDMSLASHSTR,token+6);
It overflows even with my posted fix because UDMSTRSIZ for token increased by
UDM_CONF_DIR+UDMSLASHSTR count characters. If someone have UDM_CONF_DIR long enough
for shell code, he'll got it.
Reply: <http://search.mnogo.ru/board/message.php?id=2060>
___________________________________________
If you want to unsubscribe send "unsubscribe general"
to [EMAIL PROTECTED]
