ksrt.001.svgalib.zgv
e1d9a21d43cd9f810391a7c9307bd2cdd80ef013180bd217373eb8add105a749
PKUNZIP (R) FAST! Extract Utility Version 2.04g 02-01-93
Copr. 1989-1993 PKWARE Inc. All Rights Reserved. Registered version
PKUNZIP Reg. U.S. Pat. and Tm. Off.
þ 80486 CPU detected.
þ XMS version 3.00 detected.
Searching ZIP: LAPTOP2.ZIP
Inflating: ksrt.advisory.001 <to console>
From ksrt@DEC.NET Fri Jun 20 04:48:01 1997
Date: Thu, 19 Jun 1997 14:15:42 -0700
From: ksrt <ksrt@DEC.NET>
To: BUGTRAQ@netspace.org
Subject: svgalib/zgv
KSR[T] Advisory #001
Date: June 09, 1997
ID #: lin-svga-001
Operating System(s): Redhat Linux 3.0.3 - 4.1 / Any Linux with zgv setuid root.
Affected Program: svgalib/zgv-2.7 ( an svgalib GIF/JPG viewer )
Problem Description: svgalib 1.2.10 and below do not properly revoke
privileges, and through the use of saved user ids,
any svgalib application may still be vulnerable to
buffer overruns(stack overwrites).
zgv will take data from an environment variable (HOME),
and copies the entire length of the envirnment variable
into an automatic character buffer. The result is that
arbitrary code may be executed as root. There are also
overflows on the command line and through stdin.
Compromise: With zgv, the consequences are minimal, as only a user
who has access to the console can exploit this hole.
However, most svgalib applications are poorly written
from a security standpoint and the potential compromise
may be greater with other applications.
Patch/Fix: svgalib-1.2.11 will address this security issue. Look
for our upcoming paper on vulnerabilities in svgalib
that will explain proper programming methods and other
potential problems with svgalib applications.
---
Please note that this was not a full audit of zgv, and there may be other
security problems related to zgv.
-----
KSR[T] Website : http://www.dec.net/ksrt
E-mail: ksrt@dec.net