> Some versions (the util-linux version, but not the netwrite or netkit
> versions) of /usr/bin/write have a buffer overrun problem that is
> almost certainly exploitable. Note that this gives access to the tty
> group, but not (directly) root.
>
> The fix is to change the two sprintfs to snprintfs. Patches have been
> mailed to the maintainer.
While I agree that routines that do not bounds check can be dangerous,
from the looks of things, there is no buffer overrun regarding the 2
sprintf()s in this code.
Both of the sprintf()s in this code are identical:
>From util-linux-2.6:
269: (void)sprintf(path, "/dev/%s", tty);
300: (void)sprintf(path, "/dev/%s", tty);
In order to pass in the evil buffer, one has to get by either
search_utmp() or utmp_chk(). Both of these check utmp to see if it can
find a tty & user pair that matches the ones you requested.
[mod: David Holland acknowledges this. -- REW]
Did I miss something?
Dave G.
<daveg@escape.com>
http://www.escape.com/~daveg
