search for: kankovsky

...own programs appear to use it (at least OpenSSH and in.ftpd use sizeof() of a buffer as servlen / hostlen). Proposed fix: Replace >'s with >='s. Related problems: The simpleminded implementation of getnameinfo() included in "portable OpenSSH" is affected too. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."

...+475,7 @@ case oProxyCommand: charptr = &options->proxy_command; + string = xstrdup(""); while ((arg = strdelim(&s)) != NULL && *arg != '\0') { string = xrealloc(string, strlen(string) + strlen(arg) + 2); strcat(string, " "); --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."

...804 wait4 S p2 0:00 -bash 100000 555 17347 17293 10 0 2384 1208 fifo_open S p2 0:00 xterm 100000 555 17348 17293 17 0 920 500 R p2 0:00 ps l Apparently, xterm attempted to open /tmp/LC_MESSAGES. (Oh yes, xterm is setuid and owned by root.) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]

As bug 968 suggests, xenstored must properly handle EOF from clients. From: Pavel Kankovsky <peak@argo.troja.mff.cuni.cz> Signed-off-by: Samuel Thibault <samuel.thibault@citrix.com> diff -r 6fd17d0dcbcd tools/xenstore/xenstored_core.c --- a/tools/xenstore/xenstored_core.c Tue Nov 27 12:49:16 2007 +0000 +++ b/tools/xenstore/xenstored_core.c Tue Nov 27 14:56:35 2007 +0000 @@ -1...

[Note to R. Wolff -- thanks for the pointers and the program. As I understand its workings, it would run as root and bind a listen port to a particular program -- with a list being supplied in /etc/portadmin or other file. Basically, a listen wrapper. Hopefully this message will address your cleanup concerns in my previous message. Thanks. Also, you may want to provide a moderator''s

--------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: Denial of service attack in syslogd Advisory ID: RHSA-1999:055-01 Issue date: 1999-11-19 Updated on: 1999-11-19 Keywords: syslogd sysklogd stream socket Cross references: bugtraq id #809 --------------------------------------------------------------------- 1. Topic: A

...th to the compiler $ cat > /tmp/xkbcomp #!/bin/sh id > /tmp/I_WAS_HERE [ctrl+d] $ chmod a+x /tmp/xkbcomp $ Xserver -xkbdir /tmp [X server executes /tmp/xkbcomp] Further reading: xc/programs/Xserver/xkb/xkbInit.c xc/programs/Xserver/xkb/ddxLoad.c xc/programs/Xserver/xkb/ddxList.c --Pavel Kankovsky aka Peak [ Boycott Microsoft -- http://www.vcnet.com/bms ]

...exit; } } $address += 128; } [end of exploit code] I have tested this on two Red Hat 4.2 systems running on Intel (with perl-5.003-8 and -9). I am pretty sure any Intel-like Linux having sperl5.003 is affected. Other platforms may be affected too. Perl 5.004 is NOT VULNERABLE. --Pavel Kankovsky aka Peak (troja.mff.cuni.cz network administration)

...erent format in utmp and wtmp than libc-5-based system. You have some applications in your system that update utmp and/or wtmp, but which are compiled with libc-5 or even which do not use library functions to update those files. Find them and recompile or fix them. ****************** From: Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> who dumps utmp, last dumps wtmp > Reboots stop the problem for awhile but then it reappears. reboot resets utmp... > I also read that glibc has sometimes produced corruption in utmp. Do > others notice this strange output of 'last?' Is t...

G''day Roger, Forwarding a message from wolff@BitWizard.nl: > Passing by fd means coding changes. > > The C compiler classically compiles you C program to preprocessed C > code in /tmp/ccxxxxx.i, throws that at the first compiler pass, ends > up with /tmp/ccxxxxx.s, throws the assembler at that file, gets > /tmp/ccxxxxxx.o and finally throws a linker at that file to

...attempt to abuse such a hole could probably be detected if you audited enviroment variable settings of security sensitive programs, and unusual directory lookups crossing ".." entries. AFAIK, syscall auditing is a part of Linux-privs project and is going to be merged into 2.3. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] (*) for a non-user, any program is privileged (**) the actual meaning of "those" depends on the version of libc (***) voila, I patched more getenv()s than I reported in my post: MALLOC_*, NIS_*; I have to admit I do know whethe...

Introduction. ------------ Every now and then a new "exploit" turns up of some program that uses tmp files. The first solution was "sticky bits", but since links exist (that''s a LONG time), that solution is inadequate. Discussion. ---------- The problem is that you put an object (link/pipe) in the place where you expect a program to put its tempfile, and wait for

Quite a few changes here, please test. http://www.mindrot.org/misc/openssh/openssh-SNAP-20000916.tar.gz -d 20000916 - (djm) New SuSE spec from Corinna Vinschen <corinna at vinschen.de> - (djm) Update CygWin support from Corinna Vinschen <vinschen at cygnus.com> - (djm) Use a real struct sockaddr inside the fake struct sockaddr_storage. Patch from Larry Jones <larry.jones at