On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote: > the login name is stored in a 20 byte buffer using the strcpy() function > (which does no bounds checking). 'useradd' (the utility used to add users > to the system) > however allows usernames of over 20 characters (32 at most on my distribution). > > Therefore, running crontab as a user whose login name exceeds 20 characters > crashes it. I don't see any real-world scenarios where this would be exploitable - usernames must be set by the administrator. Even in the case of e.g. a hostile NIS server, the NIS server can probably just add an account with uid 0 and log in to the client with root privileges. Kris
PGP signature- Re: vixie cron possible local root compromis... Valentin Nechayev
- Re: vixie cron possible local root compromis... gabriel rosenkoetter
- Re: vixie cron possible local root comp... Rodrigo Barbosa (aka morcego)
- (CORRECTION) Re: vixie cron possibl... Rodrigo Barbosa (aka morcego)
- Re: vixie cron possible local root ... Valdis Kletnieks
- Re: vixie cron possible local r... Juergen P. Meier
- Re: vixie cron possible local root ... Nelson Brito
- Re: vixie cron possible local root comp... Alan DeKok
- Re: vixie cron possible local root ... gabriel rosenkoetter
- Re: vixie cron possible local r... Robert Bihlmeyer
- Re: vixie cron possible local root compromis... Kris Kennaway
- Re: vixie cron possible local root compromis... Andrew Brown
- Re: vixie cron possible local root comp... Alfred Perlstein
- Re: vixie cron possible local root compromis... Mark van Reijn
- Re: vixie cron possible local root compromis... Wolfgang Wieser
- Re: vixie cron possible local root compromis... Settle, Sean
