vulnerabilty fixed

Alexander Neundorf alexander.neundorf at gmx.net
Thu Oct 31 22:59:05 GMT 2002


Hi,

there was a vulnerabilty in kdenetwork/lanbrowsing/lisa/ running in restricted 
mode (reslisa), which enabled a local root exploit, I fixed it immediatly as 
it was reported to me.

Has sun_path on every system the same size ?
It's 108 bytes on my box, but google told me also something about 64 bytes.
Any reliable information ?

Patch attached, already commited.

Bye
Alex

--- netmanager.cpp      2002/02/02 10:30:58     1.14
+++ netmanager.cpp      2002/10/31 22:45:43
@@ -131,14 +131,25 @@ int NetManager::prepare()
       m_listenFD=::socket(AF_LOCAL, SOCK_STREAM, 0);
       //m_listenFD=::socket(AF_LOCAL, SOCK_STREAM, IPPROTO_TCP);
       MyString socketName("/tmp/resLisa-");
-      socketName+=getenv("LOGNAME");
+      char *logname=getenv("LOGNAME");
+      if (strlen(logname)>60)
+      {
+         std::cout<<"NetManager::prepare: your logname  \""<<logname<<"\" is 
longer than 60 characters, exiting."<<std::endl;
+         return 0;
+      }
+      socketName+=logname;
       ::unlink(socketName.data());
       sockaddr_un serverAddr;
 //      bzero((char*)&serverAddr, sizeof(serverAddr));
       memset((void*)&serverAddr, 0, sizeof(serverAddr));
       serverAddr.sun_family      = AF_LOCAL;
       strcpy(serverAddr.sun_path,socketName.data());





More information about the kde-core-devel mailing list