![[LWN Logo]](/images/lwn.banner.gif)
Date: Wed, 24 May 2000 15:04:27 -0700
From: "Katherine M. Moussouris" <k8e@TURBOLINUX.COM>
Subject: Re: fdmount buffer overflow
To: BUGTRAQ@SECURITYFOCUS.COM
FYI, TurboLinux is also NOT affected "as shipped" by this
particular vulnerability, because users are never automatically added to
the floppy group.
fdmount *is* suid root, however, and we will be releasing an updated
package shortly.
-k8e
On Tue, 23 May 2000, Vandoorselaere Yoann wrote:
> Chmouel Boudjnah <chmouel@mandrakesoft.com> writes:
>
> > Greg Olszewski <noop@NWONKNU.ORG> writes:
> >
> > > Debian 2.1, 2.2, 2.3: fdmount is NOT installed suid.
> > > Mandrake 7.0: Vulnerable
> >
> > All our security system is handle via msec, in this case we add a user
> > in the floppy group only if we are in level >= 3.
> >
> > So we are not affected if by default you did an Server install or set
> > your security level to 4 5.
> >
> > Indeed we are affected if (and only if) the user is in the floppy
> > group. A fix (remove suid root) come soon.
>
> Here is a patch to correct the fdmount problem...
>
> --- fdmount.c.orig Tue May 23 18:48:40 2000
> +++ fdmount.c Tue May 23 18:49:04 2000
> @@ -127,9 +127,10 @@
>
> void errmsg(char *text,...) {
> char buff[80];
> +
> va_list p;
> va_start(p,text);
> - vsprintf(buff,text,p);
> + vsnprintf(buff, 80, text,p);
> va_end(p);
> if(use_syslog)
> syslog(LOG_ERR, "%s: %s\n",curdev,buff);
>
>
> --
> -- Yoann, http://www.mandrakesoft.com/~yoann/
> It is well known that M$ products don't call free() after a malloc().
> The Unix community wish them good luck for their future developments.
>
>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<
Katie Moussouris Software Engineer
k8e@turbolinux.com Security Tzarina
(650)228-5000 TurboLinux, Inc.