Dosemu S-Lang Vulnerability
As noted by Erik Mouw (J.A.K.Mouw@ITS.TUDELFT.NL)
Last saturday, the Dosemu Team released Dosemu 0.99.6 which fixes the Slang hole. This is a development release, but the changes will also come in the next stable release, Dosemu 0.98.5. From the ChangeLog:
99/01/06 ver. 0.99.5.3 unofficial pre-release From Hans - upgraded to slang-1.2.2 because of buffer overrun exploits in 1.0.3. Verified, that _both_ exploits are fixed. - fixed (now) possible buffer overrun in verror (utilities.c), because slang-1.2.2 fixed its exploit by passing the involved printout via (*SLang_Exit_Error_Hook)() to _our_ hooking routine. (well, so we now have it ;-)
Dosemu 0.99.6 is available at: ftp://ftp.dosemu.org:/dosemu/Development/dosemu-0.99.6.tgz
People using the 0.98 stable release should not run Dosemu suid root. Remove the s-bit from the Dosemu binary and wait for the next stable 0.98.5 release.
There is some security related documentation for Dosemu available at http://www.dosemu.org/docs/README/0.98/README-3.html , although it is a bit outdated.
Note that any Dosemu version running suid root with DPMI enabled is inherently unsafe. A DPMI program in Dosemu is able to use Linux system calls, including system calls that require root privileges. The Dosemu Team is not able to fix this security hole; system administrators who are serious about security, should not install Dosemu suid-root. Dosemu can run non-suid on the Slangterminal, under X, in the background and even on serial lines (bbs'es for example).