lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20041118175104.315e0bf7.research@rexotec.com>
Date: Thu, 18 Nov 2004 17:51:04 +0400
From: rexolab <research@...otec.com>
To: bugtraq@...urityfocus.com, cert@...t.org, vuln@...unia.com,
   full-disclosure@...ts.netsys.com
Subject: Re: RX171104 Cscope v15.5 and minors - symlink vulnerability -
 advisory, exploit and patch.


We are very serious in this matter as we already have discoused with you. We don't see why do  you think we are joking ?
We have found this vulnerability there's already eighteen month but we have find it in 15-4 release of cscope.
The 15-5 version has the same problem....


Release date of advisory's publication is looking only at us.....

About the patch, sorry, we made a mistake in sending you a wrong one, and now we are sending you the right one :

8<-------------------cut--here--------------------------------------------

diff -Naurp src_old/build.c src_new/build.c
--- src_old/build.c	2004-11-18 16:27:04.000000000 +0100
+++ src_new/build.c	2004-11-18 16:27:29.000000000 +0100
@@ -333,7 +333,7 @@ build(void)
 		(void) fprintf(stderr, "cscope: cannot open file %s\n", reffile);
 		myexit(1);
 	}
-	if (invertedindex == YES && (postings = myfopen(temp1, "wb")) == NULL) {
+	if (invertedindex == YES && (postings = myfopen(temp1, "w+xb")) == NULL) {
 		cannotwrite(temp1);
 		cannotindex();
 	}
diff -Naurp src_old/display.c src_new/display.c
--- src_old/display.c	2004-11-18 16:27:04.000000000 +0100
+++ src_new/display.c	2004-11-18 16:27:29.000000000 +0100
@@ -431,7 +431,7 @@ search(void)
 			findresult = (*f)(pattern);
 		}
 		else {
-			if ((nonglobalrefs = myfopen(temp2, "wb")) == NULL) {
+			if ((nonglobalrefs = myfopen(temp2, "w+xb")) == NULL) {
 				cannotopen(temp2);
 				return(NO);
 			}
@@ -754,13 +754,13 @@ BOOL
 writerefsfound(void)
 {
 	if (refsfound == NULL) {
-		if ((refsfound = myfopen(temp1, "wb")) == NULL) {
+		if ((refsfound = myfopen(temp1, "w+xb")) == NULL) {
 			cannotopen(temp1);
 			return(NO);
 		}
 	} else {
 		(void) fclose(refsfound);
-		if ( (refsfound = myfopen(temp1, "wb")) == NULL) {
+		if ( (refsfound = myfopen(temp1, "w+xb")) == NULL) {
 			postmsg("Cannot reopen temporary file");
 			return(NO);
 		}

8<----------------------------------------------cut-here-----------------------------------

enjoy,

Mr Gangstuck & associates......


---
On Thu, 18 Nov 2004 12:42:33 +0100 (CET)
Hans-Bernhard Broeker <broeker@...sik.rwth-aachen.de> wrote:

> On Thu, 18 Nov 2004, rexolab wrote:
> 
> >    VulnDiscovery:	2003/05/21
> >    Release Date :	2004/11/17
> 
> Surely you're joking, Mr. Gangstuck.  You can't seriously be telling us
> you sat on this for no less than 18 months, without telling anybody about
> it.
> 
> Actually, I somewhat doubt you even discovered this yourself --- what with
> this very bug having been posted to cscope's bugtracker on 2004-11-09.
> 
> >    Status       :	vendor has just been notified.
> 
> Actually, we've been notified 11 days ago, and apparently not by you.
> 
> >    First, the temporary directory (P_tmpdir="/tmp") is badly handled 
> >    in every myfopen() internal call.
> 
> [... there doesn't seem to be a "second", to that first...]
> 
> Anyway, you're right, the vulnerability is there.  Unfortunately your
> patch is not quite sufficient to close it, because you overlooked 
> that temp2, one of the two predictable filenames, is also used to
> construct an output redirection for a shell command run by cscope.
> 
> -- 
> Hans-Bernhard Broeker (broeker@...sik.rwth-aachen.de)
> Even if all the snow were burnt, ashes would remain.
> 
> 
> 
> --
> Ce message ne contient pas de virus connu.
> neoDomaine Postmaster - http://www.neodomaine.com/
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ