Joey Hess <[EMAIL PROTECTED]> writes:
> Goswin von Brederlow wrote:
>> concerning your
>>
>> 1. Unsafe resource file reading.
>>
>> and
>>
>> 2. Unsafe XSHISENLIB environment variable.
>>
>> Both of them, if exploitable, would be bugs in the Xrm or Xpm library
>> respectively.
>>
>> The same argument can probably made against pretty much any X
>> application and X itself. There is a lot of software that just loads
>> in user defined xpm files and such.
>
> Actually there's very little software that is suid/sgid and reads in
> user-controlled X resource files. In fact xshisen is the only such
> program I know of, aside from X itself (which I assume does so
> securely). I think that hole is likely exploitable, and it's not a bug
> in X, especially given the documentation.
That might be true for X resource files and the docs sound realy scary
(also shown by your segfault). But aren't there any suid/sgid game
programs with xpm (or png or jpeg or any other complex lib for that
matter) support? Any kde/gnome program can probably be exploited by
messing with the theming support of them.
At what point do you say this library may not be used in a suid/sgid
program? Is it even OK to use libc?
> It is a bug in the xpm library when a malformed xpm can be exploited.
> Such holes have been found before (CAN-2004-0914). However, such xpm
> bugs typically don't let a local user increase their permissions. The
> fact that xshisen turns a xpm exploit into a gid games exploit is a
> design hole in xshisen.
>
> --
> see shy jo
So what do you suggest? Fork, drop the suid/sgid in the child, load
the xpm and send the raw image through IPC back to the parent?
Or create a suid/sgid xshisen-scorefile-writer that capsules the
scorfile access (and just that) and run xshisen as normal user?
Or should suid/sgid programs never load user-controlled data (like
kde/gnome theming or xpms) at all?
What are acceptable options?
MfG
Goswin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
