Date:         Tue, 28 Nov 2000 11:32:05 +0100
From: Olaf Kirch <okir@CALDERA.DE>
Subject:      Re: [MSY] S(ecure)Locate heap corruption vulnerability
To: BUGTRAQ@SECURITYFOCUS.COM

On Sun, Nov 26, 2000 at 11:38:25PM +0100, Michel Kaempf wrote:
> The author, Kevin Lindsay, was contacted and confirmed Secure Locate
> v2.3 is not affected by the vulnerability described in this advisory.
> Every Secure Locate version, from 1.4 (included) to 2.2 (included), is
> affected by the problem, and vulnerable to the exploit described below.

It's still vulnerable to other problems, however:

	$ slocate -U /dev -o $PWD/database
	$ ls -l database
	-rw-r-----   1 okir     slocate      3137 Nov 28 10:55 database

Whoops.

IMO, slocate should drop its privilege when given any of the "fishy"
options such as database locations, request to update the database,
etc.

I do not believe that there's much you can do with group slocate privilege
except getting read access to the entire database, and discover that
your co-worker is hiding S&M GIFs somewhere in his home directory (gasp!).
That is, at least if your slocate binary and database directory are
not writable by group slocate. If they are, you're in trouble.

Still, being called "secure" locate it should probably be a little
less liberal with its privileges.

Cheers,
Olaf
--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.