Date: Tue, 26 Oct 1999 19:14:50 +0300
From: root@Death.GdS.RO
To: PacketStorm@Genocide2600.com
Subject: svgatextmode

hello,
I sent on bugtraq the bug with savetextmode.
I thought that it belonged to SVGATextMode, but
it is included in svgalib. So the threat is bigger...
Please update your page.
Regards,

Adrian Voinea

--------------------------------------------------------------------

Date: Thu, 21 Oct 1999 23:01:34 +0300
From: Adrian Voinea <root@DEATH.GDS.RO>
To: BUGTRAQ@netspace.org
Subject: SVGATextMode 1.8 /tmp race

Hello,
savetextmode, a utility that comes with SVGATextMode 1.8, saves the text
mode data in /tmp, in two files with the mode 644:

[/tmp]
root@Death# ls -lA
total 1
drwxrwxrwx   2 root     gods         1024 Sep 24  1998 .X11-unix/

[/tmp]
root@Death# savetextmode
svgalib: Using S3 driver (Trio64, 4096K).
svgalib: s3: chipsets newer than S3-864 is not supported well yet.
svgalib: RAMDAC: Trio64: MCLK = 47.131 MHz

[/tmp]
root@Death# ls -lA
total 35
drwxrwxrwx   2 root     gods         1024 Sep 24  1998 .X11-unix/
-rw-r--r--   1 root     gods        32768 Oct 21 22:56 fontdata
-rw-r--r--   1 root     gods          385 Oct 21 22:56 textregs

Also, I would like to add that savetextmode accepts no parameters.
So... any user on the system that knows that the root is using
SVGATextMode could link any of the files to a file that he wants to be
overwritten.
The e-mail is cc-ed to the maker of SVGATextMode, koen.gadeyne@barco.com.

.=-=-=-=-=-=-=-=-=.=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=.
| Adrian Voinea   |When I Die, I want to go like my grandfather did,  |
|   adi@gds.ro    |peacefully in his sleep. Not yelling and screaming,|
|TEL:+40 51 412146|like all the passengers in his car! .=-=-=-=-=-=-=-'
`=-=-=-=-=-=-=-=-='=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'

--------------------------------------------------------------------------

Date: Thu, 22 Oct 1998 11:16:47 -0400
From: Ben Collins <bmc@VISI.NET>
To: BUGTRAQ@netspace.org
Subject: Re: SVGATextMode 1.8 /tmp race

-----BEGIN PGP SIGNED MESSAGE-----

First off, savetextmode is NOT part of SVGATextMode, it is a script from
svgalib. I checked the savetextmode on my debian 2.0 system (svgalib
1.2.13):

[root@goodguy(11:10am)-~]%cat /usr/bin/savetextmode
#!/bin/sh

set -o noclobber

restoretextmode -w /dev/stdout > /tmp/textregs
restorefont -w /dev/stdout > /tmp/fontdata

The noclobber keeps it from overwriting any files. However, from the
origianl svgalib source the script looks like this:

[root@goodguy(11:13am)-~/svgalib-1.3.0/utils]%cat savetextmode
#!/bin/sh
restoretextmode -w /tmp/textregs
restorefont -w /tmp/fontdata

This WILL overwrite any files. So if you use the base svgalib, then
you have a problem. NOTE: The Debian package for svgalib 1.3 directs the
output to /etc/vga, so it is safe. I'm not sure if redhat has this changed
or not.

On Thu, 21 Oct 1999, Adrian Voinea wrote:

> Hello,
> savetextmode, a utility that comes with SVGATextMode 1.8, saves the text
> mode data in /tmp, in two files with the mode 644:
>
> [/tmp]
> root@Death# ls -lA
> total 1
> drwxrwxrwx   2 root     gods         1024 Sep 24  1998 .X11-unix/
>
> [/tmp]
> root@Death# savetextmode
> svgalib: Using S3 driver (Trio64, 4096K).
> svgalib: s3: chipsets newer than S3-864 is not supported well yet.
> svgalib: RAMDAC: Trio64: MCLK = 47.131 MHz
>
> [/tmp]
> root@Death# ls -lA
> total 35
> drwxrwxrwx   2 root     gods         1024 Sep 24  1998 .X11-unix/
> -rw-r--r--   1 root     gods        32768 Oct 21 22:56 fontdata
> -rw-r--r--   1 root     gods          385 Oct 21 22:56 textregs
>
- ------------------------------------------------
Ben Collins <b.m.collins@larc.nasa.gov>
UnixGroup Admin - NASA LaRC

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBNi9MZCo9WkFm9rsJAQHbbAP9EeG0NUGz0juhWAVe4xX1ax1b7ZWPnC1q
CTGuEn7YvlRSCjRNoNbtaf//YZfubMaJfGf4df3t53FPlD+FfAJsl6d1pT/E5QoS
RCBiT8Y2k2tAPPyXD9zR12vEMyBjEOXf9DZ/U7T40naTr27Pv4rEdmf8arZDtg6m
9gNrLl9nnKk=
=nvuw
-----END PGP SIGNATURE-----