From owner-freebsd-security Sun May 5 16:44:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from slc.edu (weir-01c.slc.edu [207.106.89.46]) by hub.freebsd.org (Postfix) with ESMTP id A3D6437B401 for ; Sun, 5 May 2002 16:44:34 -0700 (PDT) Received: (from anthony@localhost) by slc.edu (8.11.6/8.11.6) id g45NkhU00978; Sun, 5 May 2002 19:46:43 -0400 (EDT) (envelope-from anthony) Date: Sun, 5 May 2002 19:46:43 -0400 From: Anthony Schneider To: Colin Percival Cc: ReDeeMeR , FreeBSD-security@FreeBSD.ORG Subject: Re: Buffer overflow in /usr/games/strfile Message-ID: <20020505194643.A934@mail.slc.edu> References: <20020505213314.8762.qmail@uwdvg007.cms.usa.net> <5.0.2.1.1.20020505224651.00afbd78@popserver.sfu.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="TB36FDmn/VVEgNH/" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <5.0.2.1.1.20020505224651.00afbd78@popserver.sfu.ca>; from colin.percival@wadham.ox.ac.uk on Sun, May 05, 2002 at 11:27:49PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --TB36FDmn/VVEgNH/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, May 05, 2002 at 11:27:49PM +0100, Colin Percival wrote: > Given that this is not a security issue -- as you point out, "no extra= =20 > privileges can be gained" -- this is rather off-topic for -security;=20 > nevertheless, it is less so than discussions of mailing list sender=20 > restrictions, so I'll go ahead and respond. I agree that it is not an *active* security hazard, however, it is a potential security hazard were some other extra-privileged program to rely on strfile's functionality for whatever purpose (think termcap buffer overflows...termcap itself, a library, is not a setuid application, but xterm, which runs setuid root, replies on termcap, and buffer overflows have occurred where a user crafts a malicious termcap file and launches xterm, overflowing a buffer in some termcap routine, and getting dropped to a shell with the same privileges that xterm was run under). /$.02 -Anthony. ----------------------------------------------- PGP key at: http://www.keyserver.net/ http://www.anthonydotcom.com/gpgkey/key.txt Home: http://www.anthonydotcom.com ----------------------------------------------- --TB36FDmn/VVEgNH/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjzVxGMACgkQ+rDjkNht5F1MqACeIjkLhrkRy02TWjq0690VWXct /78AnjtsFBR7qtpc/4t4Eg0bOA5Vx57B =xgwR -----END PGP SIGNATURE----- --TB36FDmn/VVEgNH/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message