Date: Thu, 13 Oct 2005 15:17:26 -0700 (PDT) From: Nate Eldredge <nge@cs.hmc.edu> To: Kris Kennaway <kris@obsecurity.org> Cc: Nate Eldredge <nge@cs.hmc.edu>, freebsd-bugs@FreeBSD.org Subject: Re: gnu/45168: Buffer overflow in /usr/bin/dialog Message-ID: <Pine.GSO.4.63.0510131516340.4426@turing> In-Reply-To: <20051013214603.GA8244@xor.obsecurity.org> References: <200510132130.j9DLURLA071293@freefall.freebsd.org> <20051013214603.GA8244@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 13 Oct 2005, Kris Kennaway wrote: > On Thu, Oct 13, 2005 at 09:30:27PM +0000, Nate Eldredge wrote: >> The following reply was made to PR gnu/45168; it has been noted by GNATS. >> >> From: Nate Eldredge <nge@cs.hmc.edu> >> To: bug-followup@FreeBSD.org, saturnero@freesbie.org >> Cc: daveb@optusnet.com.au, freebsd-current@cs.hmc.edu >> Subject: Re: gnu/45168: Buffer overflow in /usr/bin/dialog >> Date: Thu, 13 Oct 2005 14:29:43 -0700 (PDT) >> >> libdialog appears to be brimming with bugs of this sort. Lots of uses of >> strcpy / strcat. It probably needs a complete audit. Ideally there >> should be no MAX_LEN and everything dynamically allocated. I hope to god >> it is never run by anything with elevated privileges. > > void init_dialog(void) > { > > if (issetugid()) { > errx(1, "libdialog is unsafe to use in setugid applications"); > } Or if a setuid application calls dialog(1) with user input? This is also bad, and wouldn't be caught by that I don't think. But hopefully they would be smart enough to drop privileges first... -- Nate Eldredge nge@cs.hmc.edu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.63.0510131516340.4426>