Author: Alexander Barkov
Email: [EMAIL PROTECTED]
Message:
Thanks. This fixed in 3.1.13 sources.
>
> Bad news. I just check your very recent search.c v1.23 via WWW cvs and see that you
>add tmplt= variable parsing there. Previous buffer overflow (I post the patch for)
>overflows data segment and stack by some indirect tricks, but new tmplt= parsing
>allow direct writing to the stack because template[] is on the stack of main().
>Dangerous code is:
> sprintf(template,"%s%s%s",UDM_CONF_DIR,UDMSLASHSTR,token+6);
> It overflows even with my posted fix because UDMSTRSIZ for token increased by
>UDM_CONF_DIR+UDMSLASHSTR count characters. If someone have UDM_CONF_DIR long enough
>for shell code, he'll got it.
>
>
Reply: <http://search.mnogo.ru/board/message.php?id=2138>
___________________________________________
If you want to unsubscribe send "unsubscribe general"
to [EMAIL PROTECTED]