Date: Tue, 26 Oct 1999 19:14:50 +0300 From: root@Death.GdS.RO To: PacketStorm@Genocide2600.com Subject: svgatextmode hello, I sent on bugtraq the bug with savetextmode. I thought that it belonged to SVGATextMode, but it is included in svgalib. So the threat is bigger... Please update your page. Regards, Adrian Voinea -------------------------------------------------------------------- Date: Thu, 21 Oct 1999 23:01:34 +0300 From: Adrian Voinea To: BUGTRAQ@netspace.org Subject: SVGATextMode 1.8 /tmp race Hello, savetextmode, a utility that comes with SVGATextMode 1.8, saves the text mode data in /tmp, in two files with the mode 644: [/tmp] root@Death# ls -lA total 1 drwxrwxrwx 2 root gods 1024 Sep 24 1998 .X11-unix/ [/tmp] root@Death# savetextmode svgalib: Using S3 driver (Trio64, 4096K). svgalib: s3: chipsets newer than S3-864 is not supported well yet. svgalib: RAMDAC: Trio64: MCLK = 47.131 MHz [/tmp] root@Death# ls -lA total 35 drwxrwxrwx 2 root gods 1024 Sep 24 1998 .X11-unix/ -rw-r--r-- 1 root gods 32768 Oct 21 22:56 fontdata -rw-r--r-- 1 root gods 385 Oct 21 22:56 textregs Also, I would like to add that savetextmode accepts no parameters. So... any user on the system that knows that the root is using SVGATextMode could link any of the files to a file that he wants to be overwritten. The e-mail is cc-ed to the maker of SVGATextMode, koen.gadeyne@barco.com. .=-=-=-=-=-=-=-=-=.=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=. | Adrian Voinea |When I Die, I want to go like my grandfather did, | | adi@gds.ro |peacefully in his sleep. Not yelling and screaming,| |TEL:+40 51 412146|like all the passengers in his car! .=-=-=-=-=-=-=-' `=-=-=-=-=-=-=-=-='=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-' -------------------------------------------------------------------------- Date: Thu, 22 Oct 1998 11:16:47 -0400 From: Ben Collins To: BUGTRAQ@netspace.org Subject: Re: SVGATextMode 1.8 /tmp race -----BEGIN PGP SIGNED MESSAGE----- First off, savetextmode is NOT part of SVGATextMode, it is a script from svgalib. I checked the savetextmode on my debian 2.0 system (svgalib 1.2.13): [root@goodguy(11:10am)-~]%cat /usr/bin/savetextmode #!/bin/sh set -o noclobber restoretextmode -w /dev/stdout > /tmp/textregs restorefont -w /dev/stdout > /tmp/fontdata The noclobber keeps it from overwriting any files. However, from the origianl svgalib source the script looks like this: [root@goodguy(11:13am)-~/svgalib-1.3.0/utils]%cat savetextmode #!/bin/sh restoretextmode -w /tmp/textregs restorefont -w /tmp/fontdata This WILL overwrite any files. So if you use the base svgalib, then you have a problem. NOTE: The Debian package for svgalib 1.3 directs the output to /etc/vga, so it is safe. I'm not sure if redhat has this changed or not. On Thu, 21 Oct 1999, Adrian Voinea wrote: > Hello, > savetextmode, a utility that comes with SVGATextMode 1.8, saves the text > mode data in /tmp, in two files with the mode 644: > > [/tmp] > root@Death# ls -lA > total 1 > drwxrwxrwx 2 root gods 1024 Sep 24 1998 .X11-unix/ > > [/tmp] > root@Death# savetextmode > svgalib: Using S3 driver (Trio64, 4096K). > svgalib: s3: chipsets newer than S3-864 is not supported well yet. > svgalib: RAMDAC: Trio64: MCLK = 47.131 MHz > > [/tmp] > root@Death# ls -lA > total 35 > drwxrwxrwx 2 root gods 1024 Sep 24 1998 .X11-unix/ > -rw-r--r-- 1 root gods 32768 Oct 21 22:56 fontdata > -rw-r--r-- 1 root gods 385 Oct 21 22:56 textregs > - ------------------------------------------------ Ben Collins UnixGroup Admin - NASA LaRC -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBNi9MZCo9WkFm9rsJAQHbbAP9EeG0NUGz0juhWAVe4xX1ax1b7ZWPnC1q CTGuEn7YvlRSCjRNoNbtaf//YZfubMaJfGf4df3t53FPlD+FfAJsl6d1pT/E5QoS RCBiT8Y2k2tAPPyXD9zR12vEMyBjEOXf9DZ/U7T40naTr27Pv4rEdmf8arZDtg6m 9gNrLl9nnKk= =nvuw -----END PGP SIGNATURE-----