Just got this on bugtraq...
Balu
-------- Original Message --------
Subject: SVGATextMode 1.8 /tmp race
Date: Thu, 21 Oct 1999 23:01:34 +0300
From: Adrian Voinea <root@DEATH.GDS.RO>
Reply-To: Adrian Voinea <root@DEATH.GDS.RO>
To: BUGTRAQ@NETSPACE.ORG
Hello,
savetextmode, a utility that comes with SVGATextMode 1.8, saves the text
mode data in /tmp, in two files with the mode 644:
[/tmp]
root@Death# ls -lA
total 1
drwxrwxrwx 2 root gods 1024 Sep 24 1998 .X11-unix/
[/tmp]
root@Death# savetextmode
svgalib: Using S3 driver (Trio64, 4096K).
svgalib: s3: chipsets newer than S3-864 is not supported well yet.
svgalib: RAMDAC: Trio64: MCLK = 47.131 MHz
[/tmp]
root@Death# ls -lA
total 35
drwxrwxrwx 2 root gods 1024 Sep 24 1998 .X11-unix/
-rw-r--r-- 1 root gods 32768 Oct 21 22:56 fontdata
-rw-r--r-- 1 root gods 385 Oct 21 22:56 textregs
Also, I would like to add that savetextmode accepts no parameters.
[mod: The rest of this message is completely bogus: SVGATextMode has
NOTHING whatsoever to do with "savetextmode", which comes from the
svgalib package.... -- REW]
So... any user on the system that knows that the root is using
SVGATextMode could link any of the files to a file that he wants to be
overwritten.
The e-mail is cc-ed to the maker of SVGATextMode,
koen.gadeyne@barco.com.
.=-=-=-=-=-=-=-=-=.=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=.
| Adrian Voinea |When I Die, I want to go like my grandfather did, |
| adi@gds.ro |peacefully in his sleep. Not yelling and screaming,|
|TEL:+40 51 412146|like all the passengers in his car! .=-=-=-=-=-=-=-''
`=-=-=-=-=-=-=-=-=''=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-''
