Date: Thu, 14 Nov 2002 14:48:21 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Knud Erik H?jgaard <knud@skodliv.dk> Cc: ports@freebsd.org, mita@FreeBSD.org Subject: Re: security problem in /usr/ports/comms/efax Message-ID: <20021114224806.GF11972@rot13.obsecurity.org> In-Reply-To: <039801c28c0d$07d52d70$24029dd9@tuborg> References: <039801c28c0d$07d52d70$24029dd9@tuborg>
next in thread | previous in thread | raw e-mail | index | archive | help
--zjcmjzIkjQU2rmur
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Nov 14, 2002 at 07:38:29PM +0100, Knud Erik H?jgaard wrote:
> =3D=3D=3D> SECURITY NOTE:
> This port has installed the following binaries which execute with
> increased privileges.
> 326461 192 -rwsr-xr-x 1 uucp dialer 97432 Nov
> 14 19:13 /usr/local/bin/efax
>=20
> $ gdb -q /usr/local/bin/efax
> (no debugging symbols found)...(gdb) r -x `perl -e 'print "A" x 1056'`
> Starting program: /usr/local/bin/efax -x `perl -e 'print "A" x 1056'`
> /usr/local/bin/efax: Thu Nov 14 19:29:32 2002 efax v 0.9a-001114 Copyright
> 1999 Ed Casas
> /usr/local/bin/efax: Thu Nov 14 19:29:32 2002 efax v 0.9a-001114 Copyright
> 1999 Ed Casas
> efax: 29:32 compiled Nov 14 2002 19:26:43
> efax: 29:32 Error: can't open pre-lock file [A lot of A's here]: File name
> too long
> (no debugging symbols found)...(no debugging symbols found)...
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
> (gdb)
Thanks for your note. I have marked the port FORBIDDEN for now until
someone can review and commit your patch.
Kris
>=20
> the following diff (gently provided by the author of efax) fixes it:
> *** efaxos.c~ Mon Mar 1 22:18:30 1999
> --- efaxos.c Mon Sep 30 18:53:13 2002
> ***************
> *** 409,414 ****
> --- 409,420 ----
>=20
> err =3D ttlocked ( fname, log ) ;
>=20
> + if ( strlen ( fname ) + 11 > EFAX_PATH_MAX ) {
> + err =3D msg ( "E2lock file path too long (must be <=3D %d charact=
ers)",
> + EFAX_PATH_MAX - 11 );
> + }
> +
> +
> if ( ! err ) {
> dirlen =3D ( p =3D strrchr( fname , '/' ) ) ? p-fname+1 : strlen ( =
fname )
> ;
> sprintf ( buf , "%.*sTMP..%05d" , dirlen , fname , (int) pid ) ;
>=20
> I forgot to notify you when I reveived the reply from the author, sorry.
>=20
> --
> Knud Erik H?jgaard
>=20
>=20
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ports" in the body of the message
--zjcmjzIkjQU2rmur
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE91CgmWry0BWjoQKURAnzYAKDKeGUhhBd/V5jVWFaCUNvGaJKB5ACeIej4
+jqc1Kzu7HbDN3hyjUZKCic=
=fXvU
-----END PGP SIGNATURE-----
--zjcmjzIkjQU2rmur--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021114224806.GF11972>