[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NIS+ groups, segfaults
From: |
Thorsten Kukuk |
Subject: |
Re: NIS+ groups, segfaults |
Date: |
Tue, 6 Mar 2001 22:34:46 +0100 |
User-agent: |
Mutt/1.2.5i |
On Tue, Mar 06, Dirk Wetter wrote:
>
> Hi,
>
> i am new to this list, i am not even subscribed to it.
> but i would appreciate if the bug which we found
> (see below) would be fixed *at_least* in the next release.
>
> i couldn't read any mail/notification that this issue
> i brought up was addressed, so i though just to step
> forward with two suggestions, here they are:
>
> - increase NSS_BUFLEN_GROUP in /usr/include/grp.h
> and NSS_BUFLEN_PASSWD in /usr/include/pwd.h
> at least to 4096, better 8192.
This would not solve the problem, only hide it for more cases.
>
> - somebody has to find the real problem in "_nss_compat_initgroups"
> in ./nis/nss_compat/compat-initgroups.c.
> the same code seems to be in ./grp/initgroups.c
> and ./nis/nss_nis/nis-initgroups.c.
It is the same code for /etc/group, NIS and NIS+. I created
a group entry with about 3000 characters in /etc/group and
the NIS group map. It works without problems, __alloca is
called 3 times without problems for files (/etc/group) and NIS.
I think the problem is in the NIS+ code, looks like we
overwrite some memory we are not allowed to write to.
But I don't have access to a NIS+ server in the moment,
so I cannot test and fix this.
> ihmo this problem needs to be resolved, also for security reasons.
> at least we were able to put some "numbers" on the stack,
> which at a certain point was found to be a valid address
> be the code after exiting a function.
This is bogus, if somebody is able to change your NIS+ data,
he doesn't need a buffer overflow to become root.
Thorsten
--
Thorsten Kukuk http://www.suse.de/~kukuk/ address@hidden
SuSE GmbH Schanzaeckerstr. 10 90443 Nuernberg
Linux is like a Vorlon. It is incredibly powerful, gives terse,
cryptic answers and has a lot of things going on in the background.