Comment 1 Tim Yamin (RETIRED) 2004-01-26 14:39:38 UTC

Created attachment 24465 [details, diff]
Patch [CAN-2003-0848]

Comment 2 Joshua Brindle (RETIRED) 2004-01-26 14:50:38 UTC

does it strike anyone else that the overflow should actually be fixed in addition to dropping privs? i don't think this is a complete solution..

Comment 3 Tim Yamin (RETIRED) 2004-01-26 15:22:16 UTC

It seems that RedHat et al. may have not read things properly: 
http://www.ebitech.sk/patrik/SA/SA-20031006.txt says that ``slocate version 2.6 and below is vulnerable. slocate version 2.7 and all packages based on this version are not vulnerable.'' meanwhile http://linuxtoday.com/security/2004012602726SCRH says that 2.7 is vulnerable.

===

True; but as this is an overflow I'm not sure if you can do much other than do more bound checking which is essentially what dropping priveleges does; as it prevents bad databases to go in which so far seems to be the only attack vector.

>> Suggested and correct  patch  is to change condition on line 1263 to
pathlen <= 0. <<

http://www.ebitech.sk/patrik/SA/SA-20031006-A.txt for more details.

Comment 4 solar (RETIRED) 2004-01-27 23:39:56 UTC

Did somebody recently clean up slocate in CVS? Only thing I see in there is 2.7* which was never supposed to be vuln in the first place.

If thats the case then this bug is INVALID.

Comment 5 solar (RETIRED) 2004-01-27 23:54:26 UTC

If thats not the case ^

Comment 6 Tim Yamin (RETIRED) 2004-01-28 08:53:27 UTC

I guess this is INVALID then as we seem to have no confirmation of 2.7 being vulnerable :-)

Comment 7 solar (RETIRED) 2004-01-28 09:28:52 UTC

It's hard to tell one way or the other. Lets just keep current :)