[Please upgrade slocate. Red Hat is definitely vulnerable to this obscure bug, other distributions may be vulnerable too -- Raju]
This is an RFC 1153 digest. (1 message) ---------------------------------------------------------------------- Message-ID: <[EMAIL PROTECTED]> From: Patrik Hornik <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: SA-20031006 slocate vulnerability Date: Mon, 6 Oct 2003 20:10:47 +0200 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ====================================================================== Security advisory 20031006 - ---------------------------------------------------------------------- Product: slocate Vulnerability type: buffer overflow (corrupt heap) Extended type: possibly gaining elevated privileges Severity: low Issue date: 2003/10/06 Last updated: 2003/10/06 ====================================================================== Description - ----------- Mr. Hornik has discovered buffer overflow vulnerability in slocate version 2.6. Many Linux distributions have their slocate package based on this version. We found at least RedHat package to be vulnerable. The vulnerability corrupts heap management structures and possibly leads to gaining slocate group privileges, which allows reading global slocate database and thus obtaining list of all files in the system by unauthorized user. Vulnerability - ------------- Program slocate works on user supplied database with setgid to slocate group. With user prepared slocate database one can cause (we are reffering to source lines from slocate-2.6-1.src.rpm from RH 7.3) that pathlen after executing main.c:1255 will have value -1. It must be caused by not the first path in the database because it is verified in validate_db. Then on line main.c:1275 the last byte of memory block header (this memory block size) will be overwritten with user suplied value. The codedpath is never freed by the code, but it is possible to trigger realloc on line 1269 later by data in database. Because of not freeing some dynamic memory, using multiple databases and multiple search patterns it should be possible to prepare heap before triggering this vulnerability to allow later execution of arbitrary code, thus gaining slocate group privileges. This allows reading of global slocate database with list of all files in the system by unauthorized user. The exploit is not available at this time. Suggested and correct patch is to change condition on line 1263 to pathlen <= 0. Who is affected? - ---------------- Affected are all RedHat distributions up to version 9.0 including. slocate version 2.6 and below is vulnerable. slocate version 2.7 and all packages based on this version are not vulnerable. Recommendations - --------------- We recommend to upgrade slocate package to the fixed version. If obtaining the list of all files on the system by unauthorized user is security risk for your system we recommend to remove slocate database and disable automatic generation of this database (as daily cron job) or remove slocate utility or generate database only from safe files until fixed version is installed. References - ---------- This security advisory: http://www.ebitech.sk/patrik/SA/SA-20031006.txt Contact - ------- Patrik Hornik - -- Security Consultant Email: [EMAIL PROTECTED] Phone: +421 905 385 666 PGP KeyID: DFA5BC67 -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2i iQA/AwUBP4GiISTdn3LfpbxnEQL15ACgufs5R/lwY0VgLoBYZQDXEMPho0IAmwZi rx2AbvKgd9w+C4l4r+l7eulc =Kp2V -----END PGP SIGNATURE----- ------------------------------ End of this Digest ****************** -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F All your domain are belong to us. It is the mind that moves _______________________________________________ ilugd mailing list [EMAIL PROTECTED] http://frodo.hserus.net/mailman/listinfo/ilugd