Re: [MSY] S(ecure)Locate heap corruption vulnerability

2000-11-29T00:00:00
ID SECURITYVULNS:DOC:992
Type securityvulns
Reporter Securityvulns
Modified 2000-11-29T00:00:00

Description

On Sun, Nov 26, 2000 at 11:38:25PM +0100, Michel Kaempf wrote: > The author, Kevin Lindsay, was contacted and confirmed Secure Locate > v2.3 is not affected by the vulnerability described in this advisory. > Every Secure Locate version, from 1.4 (included) to 2.2 (included), is > affected by the problem, and vulnerable to the exploit described below.

It's still vulnerable to other problems, however:

    $ slocate -U /dev -o $PWD/database
    $ ls -l database
    -rw-r-----   1 okir     slocate      3137 Nov 28 10:55 database

Whoops.

IMO, slocate should drop its privilege when given any of the "fishy" options such as database locations, request to update the database, etc.

I do not believe that there's much you can do with group slocate privilege except getting read access to the entire database, and discover that your co-worker is hiding S&M GIFs somewhere in his home directory (gasp!). That is, at least if your slocate binary and database directory are not writable by group slocate. If they are, you're in trouble.

Still, being called "secure" locate it should probably be a little less liberal with its privileges.

Cheers, Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okir@caldera.de +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.