From owner-freebsd-bugs@FreeBSD.ORG  Thu Oct 13 22:17:26 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@FreeBSD.org
Delivered-To: freebsd-bugs@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B853716A41F
	for <freebsd-bugs@FreeBSD.org>; Thu, 13 Oct 2005 22:17:26 +0000 (GMT)
	(envelope-from nge@cs.hmc.edu)
Received: from turing.cs.hmc.edu (turing.cs.hmc.edu [134.173.42.99])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7ED5343D46
	for <freebsd-bugs@FreeBSD.org>; Thu, 13 Oct 2005 22:17:26 +0000 (GMT)
	(envelope-from nge@cs.hmc.edu)
Received: by turing.cs.hmc.edu (Postfix, from userid 26983)
	id 43CF7532B1; Thu, 13 Oct 2005 15:17:26 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by turing.cs.hmc.edu (Postfix) with ESMTP
	id 2E2725A92B; Thu, 13 Oct 2005 15:17:26 -0700 (PDT)
Date: Thu, 13 Oct 2005 15:17:26 -0700 (PDT)
From: Nate Eldredge <nge@cs.hmc.edu>
X-X-Sender: nate@turing
To: Kris Kennaway <kris@obsecurity.org>
In-Reply-To: <20051013214603.GA8244@xor.obsecurity.org>
Message-ID: <Pine.GSO.4.63.0510131516340.4426@turing>
References: <200510132130.j9DLURLA071293@freefall.freebsd.org>
	<20051013214603.GA8244@xor.obsecurity.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: Nate Eldredge <nge@cs.hmc.edu>, freebsd-bugs@FreeBSD.org
Subject: Re: gnu/45168: Buffer overflow in /usr/bin/dialog
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2005 22:17:26 -0000

On Thu, 13 Oct 2005, Kris Kennaway wrote:

> On Thu, Oct 13, 2005 at 09:30:27PM +0000, Nate Eldredge wrote:
>> The following reply was made to PR gnu/45168; it has been noted by GNATS.
>>
>> From: Nate Eldredge <nge@cs.hmc.edu>
>> To: bug-followup@FreeBSD.org, saturnero@freesbie.org
>> Cc: daveb@optusnet.com.au, freebsd-current@cs.hmc.edu
>> Subject: Re: gnu/45168: Buffer overflow in /usr/bin/dialog
>> Date: Thu, 13 Oct 2005 14:29:43 -0700 (PDT)
>>
>>  libdialog appears to be brimming with bugs of this sort.  Lots of uses of
>>  strcpy / strcat.  It probably needs a complete audit.  Ideally there
>>  should be no MAX_LEN and everything dynamically allocated.  I hope to god
>>  it is never run by anything with elevated privileges.
>
> void init_dialog(void)
> {
>
>  if (issetugid()) {
>        errx(1, "libdialog is unsafe to use in setugid applications");
>  }

Or if a setuid application calls dialog(1) with user input?  This is also 
bad, and wouldn't be caught by that I don't think.  But hopefully they 
would be smart enough to drop privileges first...

-- 
Nate Eldredge
nge@cs.hmc.edu