gnu/45168: Buffer overflow in /usr/bin/dialog
Nate Eldredge
nge at cs.hmc.edu
Thu Oct 13 15:17:26 PDT 2005
On Thu, 13 Oct 2005, Kris Kennaway wrote:
> On Thu, Oct 13, 2005 at 09:30:27PM +0000, Nate Eldredge wrote:
>> The following reply was made to PR gnu/45168; it has been noted by GNATS.
>>
>> From: Nate Eldredge <nge at cs.hmc.edu>
>> To: bug-followup at FreeBSD.org, saturnero at freesbie.org
>> Cc: daveb at optusnet.com.au, freebsd-current at cs.hmc.edu
>> Subject: Re: gnu/45168: Buffer overflow in /usr/bin/dialog
>> Date: Thu, 13 Oct 2005 14:29:43 -0700 (PDT)
>>
>> libdialog appears to be brimming with bugs of this sort. Lots of uses of
>> strcpy / strcat. It probably needs a complete audit. Ideally there
>> should be no MAX_LEN and everything dynamically allocated. I hope to god
>> it is never run by anything with elevated privileges.
>
> void init_dialog(void)
> {
>
> if (issetugid()) {
> errx(1, "libdialog is unsafe to use in setugid applications");
> }
Or if a setuid application calls dialog(1) with user input? This is also
bad, and wouldn't be caught by that I don't think. But hopefully they
would be smart enough to drop privileges first...
--
Nate Eldredge
nge at cs.hmc.edu
More information about the freebsd-bugs
mailing list