Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Mon, 13 Nov 2000 05:57:40 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Mon, 13 Nov 2000 05:57:20 -0500 Received: from ppp0.ocs.com.au ([203.34.97.3]:65040 "HELO mail.ocs.com.au") by vger.kernel.org with SMTP id ; Mon, 13 Nov 2000 05:57:15 -0500 X-Mailer: exmh version 2.1.1 10/15/1999 From: Keith Owens To: linux-kernel@vger.kernel.org Subject: Local root exploit with kmod and modutils > 2.1.121 Date: Mon, 13 Nov 2000 21:57:08 +1100 Message-ID: <2329.974113028@ocs3.ocs-net> Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-Type: text/plain; charset=us-ascii A local root exploit has been found using kernels compiled with kmod and modutils > 2.1.121. Kernels without kmod and systems using modutils 2.1.121 are not affected. Patch against modutils 2.3.19, it should fit any 2.3 modutils. Index: 19.7/util/meta_expand.c - --- 19.7/util/meta_expand.c Sun, 10 Sep 2000 12:56:40 +1100 kaos (modutils-2.3/10_meta_expan 1.4 644) +++ 19.7(w)/util/meta_expand.c Mon, 13 Nov 2000 21:19:41 +1100 kaos (modutils-2.3/10_meta_expan 1.4 644) @@ -156,12 +156,8 @@ static int glob_it(char *pt, GLOB_LIST * */ int meta_expand(char *pt, GLOB_LIST *g, char *base_dir, char *version) { - - FILE *fin; - - int len = 0; - - char *line = NULL; char *p; char tmpline[PATH_MAX + 1]; - - char tmpcmd[PATH_MAX + 11]; g->pathc = 0; g->pathv = NULL; @@ -277,38 +273,6 @@ int meta_expand(char *pt, GLOB_LIST *g, /* Only "=" remaining, should be module options */ split_line(g, pt, 0); return 0; - - } - - - - /* - - * Last resort: Use "echo" - - */ - - sprintf(tmpline, "%s%s", (base_dir ? base_dir : ""), pt); - - sprintf(tmpcmd, "/bin/echo %s", tmpline); - - if ((fin = popen(tmpcmd, "r")) == NULL) { - - error("Can't execute: %s", tmpcmd); - - return -1; - - } - - /* else */ - - - - /* - - * Collect the result - - */ - - while (fgets(tmpcmd, PATH_MAX, fin) != NULL) { - - int l = strlen(tmpcmd); - - - - line = (char *)xrealloc(line, len + l + 1); - - line[len] = '\0'; - - strcat(line + len, tmpcmd); - - len += l; - - } - - pclose(fin); - - - - if (line) { - - /* Ignore result if no expansion occurred */ - - strcat(tmpline, "\n"); - - if (strcmp(tmpline, line)) - - split_line(g, line, 0); - - free(line); } return 0; -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: Exmh version 2.1.1 10/15/1999 iD8DBQE6D8kEi4UHNye0ZOoRAmVTAKCktbi9DI5t0sj8wd1/vjLtgwVW6QCgnO0L mVbPskoIGSSyTE8I9K7FcAg= =Z1/L -----END PGP SIGNATURE----- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/