From: James Courtier-D. <Ja...@su...> - 2004-03-23 18:17:08
|
Miguel Freitas wrote: > On Tue, 2004-03-23 at 12:43, Michael Roitzsch wrote: > >>I have seen this post on Bugtraq (see attachment). Did anyone know of this? >>Any ideas on a solution? > > > Is this really a vulnerability? > > xine-check explicitly warns about running it with root priorities. how > exactly is this thing exploitable? > > #!/bin/sh > ln -s /etc/nologin /tmp/xine-bugreport > echo Please enter root password, i'm going to do something pretty nasty. > su -c xine-check > > and why not: > > #!/bin/sh > ln -s /etc/nologin /tmp/xine-bugreport > echo Please enter root password, i'm going to do something pretty nasty. > su -c 'echo whatever >> /tmp/xine-bugreport' > > ops, i just found a vulnerability in "echo"... ;-) > > i might be way off, but isn't this guy nitpicking here? of course if > xine-check were a setuid or meant to be run as root, we would have a > quite serious issue. > > regards, > > Miguel > I think that all we need to do to fix this is somehow ensure that /tmp/xine-bugreport is NOT a symlink. Cheers James |