vulnerabilty fixed
George Staikos
staikos at kde.org
Fri Nov 1 01:34:20 GMT 2002
How about this supplementary patch? I haven't really tested it because I
don't use Lisa at all. It looks a bit cleaner and safer to me.
On October 31, 2002 17:59, Alexander Neundorf wrote:
> Hi,
>
> there was a vulnerabilty in kdenetwork/lanbrowsing/lisa/ running in
> restricted mode (reslisa), which enabled a local root exploit, I fixed it
> immediatly as it was reported to me.
>
> Has sun_path on every system the same size ?
> It's 108 bytes on my box, but google told me also something about 64 bytes.
> Any reliable information ?
>
> Patch attached, already commited.
>
> Bye
> Alex
>
> --- netmanager.cpp 2002/02/02 10:30:58 1.14
> +++ netmanager.cpp 2002/10/31 22:45:43
> @@ -131,14 +131,25 @@ int NetManager::prepare()
> m_listenFD=::socket(AF_LOCAL, SOCK_STREAM, 0);
> //m_listenFD=::socket(AF_LOCAL, SOCK_STREAM, IPPROTO_TCP);
> MyString socketName("/tmp/resLisa-");
> - socketName+=getenv("LOGNAME");
> + char *logname=getenv("LOGNAME");
> + if (strlen(logname)>60)
> + {
> + std::cout<<"NetManager::prepare: your logname \""<<logname<<"\"
> is longer than 60 characters, exiting."<<std::endl;
> + return 0;
> + }
> + socketName+=logname;
>
> ::unlink(socketName.data());
>
> sockaddr_un serverAddr;
> // bzero((char*)&serverAddr, sizeof(serverAddr));
> memset((void*)&serverAddr, 0, sizeof(serverAddr));
> serverAddr.sun_family = AF_LOCAL;
> strcpy(serverAddr.sun_path,socketName.data());
--
George Staikos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lisa.patch
Type: text/x-diff
Size: 1501 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20021031/3ee3c581/attachment.patch>
More information about the kde-core-devel
mailing list