Re: RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch.
From: rexolab (research_at_rexotec.com)
Date: 11/18/04
- Previous message: Roy Arends: "Inofficial updates to 758884/NISCC/DNS"
- In reply to: Hans-Bernhard Broeker: "Re: RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Nov 2004 17:51:04 +0400 To: bugtraq@securityfocus.com, cert@cert.org, vuln@secunia.com, full-disclosure@lists.netsys.com
We are very serious in this matter as we already have discoused with you. We don't see why do you think we are joking ?
We have found this vulnerability there's already eighteen month but we have find it in 15-4 release of cscope.
The 15-5 version has the same problem....
Release date of advisory's publication is looking only at us.....
About the patch, sorry, we made a mistake in sending you a wrong one, and now we are sending you the right one :
8<-------------------cut--here--------------------------------------------
diff -Naurp src_old/build.c src_new/build.c
--- src_old/build.c 2004-11-18 16:27:04.000000000 +0100
+++ src_new/build.c 2004-11-18 16:27:29.000000000 +0100
@@ -333,7 +333,7 @@ build(void)
(void) fprintf(stderr, "cscope: cannot open file %s\n", reffile);
myexit(1);
}
- if (invertedindex == YES && (postings = myfopen(temp1, "wb")) == NULL) {
+ if (invertedindex == YES && (postings = myfopen(temp1, "w+xb")) == NULL) {
cannotwrite(temp1);
cannotindex();
}
diff -Naurp src_old/display.c src_new/display.c
--- src_old/display.c 2004-11-18 16:27:04.000000000 +0100
+++ src_new/display.c 2004-11-18 16:27:29.000000000 +0100
@@ -431,7 +431,7 @@ search(void)
findresult = (*f)(pattern);
}
else {
- if ((nonglobalrefs = myfopen(temp2, "wb")) == NULL) {
+ if ((nonglobalrefs = myfopen(temp2, "w+xb")) == NULL) {
cannotopen(temp2);
return(NO);
}
@@ -754,13 +754,13 @@ BOOL
writerefsfound(void)
{
if (refsfound == NULL) {
- if ((refsfound = myfopen(temp1, "wb")) == NULL) {
+ if ((refsfound = myfopen(temp1, "w+xb")) == NULL) {
cannotopen(temp1);
return(NO);
}
} else {
(void) fclose(refsfound);
- if ( (refsfound = myfopen(temp1, "wb")) == NULL) {
+ if ( (refsfound = myfopen(temp1, "w+xb")) == NULL) {
postmsg("Cannot reopen temporary file");
return(NO);
}
8<----------------------------------------------cut-here-----------------------------------
enjoy,
Mr Gangstuck & associates......
--- On Thu, 18 Nov 2004 12:42:33 +0100 (CET) Hans-Bernhard Broeker <broeker@physik.rwth-aachen.de> wrote: > On Thu, 18 Nov 2004, rexolab wrote: > > > VulnDiscovery: 2003/05/21 > > Release Date : 2004/11/17 > > Surely you're joking, Mr. Gangstuck. You can't seriously be telling us > you sat on this for no less than 18 months, without telling anybody about > it. > > Actually, I somewhat doubt you even discovered this yourself --- what with > this very bug having been posted to cscope's bugtracker on 2004-11-09. > > > Status : vendor has just been notified. > > Actually, we've been notified 11 days ago, and apparently not by you. > > > First, the temporary directory (P_tmpdir="/tmp") is badly handled > > in every myfopen() internal call. > > [... there doesn't seem to be a "second", to that first...] > > Anyway, you're right, the vulnerability is there. Unfortunately your > patch is not quite sufficient to close it, because you overlooked > that temp2, one of the two predictable filenames, is also used to > construct an output redirection for a shell command run by cscope. > > -- > Hans-Bernhard Broeker (broeker@physik.rwth-aachen.de) > Even if all the snow were burnt, ashes would remain. > > > > -- > Ce message ne contient pas de virus connu. > neoDomaine Postmaster - http://www.neodomaine.com/ >
- Previous message: Roy Arends: "Inofficial updates to 758884/NISCC/DNS"
- In reply to: Hans-Bernhard Broeker: "Re: RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
