BugTraq
RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch. Nov 17 2004 09:27PM
rexolab (research rexotec com) (1 replies)
Re: RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch. Nov 18 2004 11:42AM
Hans-Bernhard Broeker (broeker physik rwth-aachen de) (1 replies)
Re: RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch. Nov 18 2004 01:51PM
rexolab (research rexotec com)
We are very serious in this matter as we already have discoused with you. We don't see why do you think we are joking ?
We have found this vulnerability there's already eighteen month but we have find it in 15-4 release of cscope.
The 15-5 version has the same problem....

Release date of advisory's publication is looking only at us.....

About the patch, sorry, we made a mistake in sending you a wrong one, and now we are sending you the right one :

8<-------------------cut--here------------------------------------------
--

diff -Naurp src_old/build.c src_new/build.c
--- src_old/build.c 2004-11-18 16:27:04.000000000 +0100
+++ src_new/build.c 2004-11-18 16:27:29.000000000 +0100
@@ -333,7 +333,7 @@ build(void)
(void) fprintf(stderr, "cscope: cannot open file %s\n", reffile);
myexit(1);
}
- if (invertedindex == YES && (postings = myfopen(temp1, "wb")) == NULL) {
+ if (invertedindex == YES && (postings = myfopen(temp1, "w+xb")) == NULL) {
cannotwrite(temp1);
cannotindex();
}
diff -Naurp src_old/display.c src_new/display.c
--- src_old/display.c 2004-11-18 16:27:04.000000000 +0100
+++ src_new/display.c 2004-11-18 16:27:29.000000000 +0100
@@ -431,7 +431,7 @@ search(void)
findresult = (*f)(pattern);
}
else {
- if ((nonglobalrefs = myfopen(temp2, "wb")) == NULL) {
+ if ((nonglobalrefs = myfopen(temp2, "w+xb")) == NULL) {
cannotopen(temp2);
return(NO);
}
@@ -754,13 +754,13 @@ BOOL
writerefsfound(void)
{
if (refsfound == NULL) {
- if ((refsfound = myfopen(temp1, "wb")) == NULL) {
+ if ((refsfound = myfopen(temp1, "w+xb")) == NULL) {
cannotopen(temp1);
return(NO);
}
} else {
(void) fclose(refsfound);
- if ( (refsfound = myfopen(temp1, "wb")) == NULL) {
+ if ( (refsfound = myfopen(temp1, "w+xb")) == NULL) {
postmsg("Cannot reopen temporary file");
return(NO);
}

8<----------------------------------------------cut-here----------------
-------------------

enjoy,

Mr Gangstuck & associates......

---
On Thu, 18 Nov 2004 12:42:33 +0100 (CET)
Hans-Bernhard Broeker <broeker (at) physik.rwth-aachen (dot) de [email concealed]> wrote:

> On Thu, 18 Nov 2004, rexolab wrote:
>
> > VulnDiscovery: 2003/05/21
> > Release Date : 2004/11/17
>
> Surely you're joking, Mr. Gangstuck. You can't seriously be telling us
> you sat on this for no less than 18 months, without telling anybody about
> it.
>
> Actually, I somewhat doubt you even discovered this yourself --- what with
> this very bug having been posted to cscope's bugtracker on 2004-11-09.
>
> > Status : vendor has just been notified.
>
> Actually, we've been notified 11 days ago, and apparently not by you.
>
> > First, the temporary directory (P_tmpdir="/tmp") is badly handled
> > in every myfopen() internal call.
>
> [... there doesn't seem to be a "second", to that first...]
>
> Anyway, you're right, the vulnerability is there. Unfortunately your
> patch is not quite sufficient to close it, because you overlooked
> that temp2, one of the two predictable filenames, is also used to
> construct an output redirection for a shell command run by cscope.
>
> --
> Hans-Bernhard Broeker (broeker (at) physik.rwth-aachen (dot) de [email concealed])
> Even if all the snow were burnt, ashes would remain.
>
>
>
> --
> Ce message ne contient pas de virus connu.
> neoDomaine Postmaster - http://www.neodomaine.com/
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus