Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

svga.textmode.1.8.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

Alert on SVGATextMode 1.8 vulnerability allowing race condition in savetextmode utility.

Code
`Date: Tue, 26 Oct 1999 19:14:50 +0300  
From: [email protected]  
To: [email protected]  
Subject: svgatextmode  
  
hello,  
I sent on bugtraq the bug with savetextmode.  
I thought that it belonged to SVGATextMode, but  
it is included in svgalib. So the threat is bigger...  
Please update your page.  
Regards,  
  
Adrian Voinea  
  
--------------------------------------------------------------------  
  
Date: Thu, 21 Oct 1999 23:01:34 +0300  
From: Adrian Voinea <[email protected]>  
To: [email protected]  
Subject: SVGATextMode 1.8 /tmp race  
  
Hello,  
savetextmode, a utility that comes with SVGATextMode 1.8, saves the text  
mode data in /tmp, in two files with the mode 644:  
  
[/tmp]  
root@Death# ls -lA  
total 1  
drwxrwxrwx 2 root gods 1024 Sep 24 1998 .X11-unix/  
  
[/tmp]  
root@Death# savetextmode  
svgalib: Using S3 driver (Trio64, 4096K).  
svgalib: s3: chipsets newer than S3-864 is not supported well yet.  
svgalib: RAMDAC: Trio64: MCLK = 47.131 MHz  
  
[/tmp]  
root@Death# ls -lA  
total 35  
drwxrwxrwx 2 root gods 1024 Sep 24 1998 .X11-unix/  
-rw-r--r-- 1 root gods 32768 Oct 21 22:56 fontdata  
-rw-r--r-- 1 root gods 385 Oct 21 22:56 textregs  
  
Also, I would like to add that savetextmode accepts no parameters.  
So... any user on the system that knows that the root is using  
SVGATextMode could link any of the files to a file that he wants to be  
overwritten.  
The e-mail is cc-ed to the maker of SVGATextMode, [email protected].  
  
.=-=-=-=-=-=-=-=-=.=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=.  
| Adrian Voinea |When I Die, I want to go like my grandfather did, |  
| [email protected] |peacefully in his sleep. Not yelling and screaming,|  
|TEL:+40 51 412146|like all the passengers in his car! .=-=-=-=-=-=-=-'  
`=-=-=-=-=-=-=-=-='=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'  
  
--------------------------------------------------------------------------  
  
Date: Thu, 22 Oct 1998 11:16:47 -0400  
From: Ben Collins <[email protected]>  
To: [email protected]  
Subject: Re: SVGATextMode 1.8 /tmp race  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
First off, savetextmode is NOT part of SVGATextMode, it is a script from  
svgalib. I checked the savetextmode on my debian 2.0 system (svgalib  
1.2.13):  
  
[root@goodguy(11:10am)-~]%cat /usr/bin/savetextmode  
#!/bin/sh  
  
set -o noclobber  
  
restoretextmode -w /dev/stdout > /tmp/textregs  
restorefont -w /dev/stdout > /tmp/fontdata  
  
The noclobber keeps it from overwriting any files. However, from the  
origianl svgalib source the script looks like this:  
  
[root@goodguy(11:13am)-~/svgalib-1.3.0/utils]%cat savetextmode  
#!/bin/sh  
restoretextmode -w /tmp/textregs  
restorefont -w /tmp/fontdata  
  
This WILL overwrite any files. So if you use the base svgalib, then  
you have a problem. NOTE: The Debian package for svgalib 1.3 directs the  
output to /etc/vga, so it is safe. I'm not sure if redhat has this changed  
or not.  
  
On Thu, 21 Oct 1999, Adrian Voinea wrote:  
  
> Hello,  
> savetextmode, a utility that comes with SVGATextMode 1.8, saves the text  
> mode data in /tmp, in two files with the mode 644:  
>  
> [/tmp]  
> root@Death# ls -lA  
> total 1  
> drwxrwxrwx 2 root gods 1024 Sep 24 1998 .X11-unix/  
>  
> [/tmp]  
> root@Death# savetextmode  
> svgalib: Using S3 driver (Trio64, 4096K).  
> svgalib: s3: chipsets newer than S3-864 is not supported well yet.  
> svgalib: RAMDAC: Trio64: MCLK = 47.131 MHz  
>  
> [/tmp]  
> root@Death# ls -lA  
> total 35  
> drwxrwxrwx 2 root gods 1024 Sep 24 1998 .X11-unix/  
> -rw-r--r-- 1 root gods 32768 Oct 21 22:56 fontdata  
> -rw-r--r-- 1 root gods 385 Oct 21 22:56 textregs  
>  
- ------------------------------------------------  
Ben Collins <[email protected]>  
UnixGroup Admin - NASA LaRC  
  
-----BEGIN PGP SIGNATURE-----  
Version: 2.6.3ia  
Charset: noconv  
  
iQCVAwUBNi9MZCo9WkFm9rsJAQHbbAP9EeG0NUGz0juhWAVe4xX1ax1b7ZWPnC1q  
CTGuEn7YvlRSCjRNoNbtaf//YZfubMaJfGf4df3t53FPlD+FfAJsl6d1pT/E5QoS  
RCBiT8Y2k2tAPPyXD9zR12vEMyBjEOXf9DZ/U7T40naTr27Pv4rEdmf8arZDtg6m  
9gNrLl9nnKk=  
=nvuw  
-----END PGP SIGNATURE-----  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
svgatextmode vulnerability user file overwrite race condition
25