Date: Thu, 14 Nov 2002 19:38:29 +0100 From: =?iso-8859-1?Q?Knud_Erik_H=F8jgaard?= <knud@skodliv.dk> To: <ports@freebsd.org>, <mita@FreeBSD.org> Subject: security problem in /usr/ports/comms/efax Message-ID: <039801c28c0d$07d52d70$24029dd9@tuborg>
next in thread | raw e-mail | index | archive | help
===> SECURITY NOTE:
This port has installed the following binaries which execute with
increased privileges.
326461 192 -rwsr-xr-x 1 uucp dialer 97432 Nov
14 19:13 /usr/local/bin/efax
$ gdb -q /usr/local/bin/efax
(no debugging symbols found)...(gdb) r -x `perl -e 'print "A" x 1056'`
Starting program: /usr/local/bin/efax -x `perl -e 'print "A" x 1056'`
/usr/local/bin/efax: Thu Nov 14 19:29:32 2002 efax v 0.9a-001114 Copyright
1999 Ed Casas
/usr/local/bin/efax: Thu Nov 14 19:29:32 2002 efax v 0.9a-001114 Copyright
1999 Ed Casas
efax: 29:32 compiled Nov 14 2002 19:26:43
efax: 29:32 Error: can't open pre-lock file [A lot of A's here]: File name
too long
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
the following diff (gently provided by the author of efax) fixes it:
*** efaxos.c~ Mon Mar 1 22:18:30 1999
--- efaxos.c Mon Sep 30 18:53:13 2002
***************
*** 409,414 ****
--- 409,420 ----
err = ttlocked ( fname, log ) ;
+ if ( strlen ( fname ) + 11 > EFAX_PATH_MAX ) {
+ err = msg ( "E2lock file path too long (must be <= %d characters)",
+ EFAX_PATH_MAX - 11 );
+ }
+
+
if ( ! err ) {
dirlen = ( p = strrchr( fname , '/' ) ) ? p-fname+1 : strlen ( fname )
;
sprintf ( buf , "%.*sTMP..%05d" , dirlen , fname , (int) pid ) ;
I forgot to notify you when I reveived the reply from the author, sorry.
--
Knud Erik Højgaard
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?039801c28c0d$07d52d70$24029dd9>