Infodrom Oldenburg

— hanterm —

15.2.2002: Security Fixes	hanterm	3.3.1p17
This patch fixes two problems. The first problem fixed is broken dropping and regaining of privileges. The hanterm program runs setgid utmp normally, so it can modify the utmp file. Upon startup it drops privileges. Fine so long, but unfortunately it regains them way too early and forgets to drop them again. Hence, any problem would occur with gid=utmp, which is bad. This has been fixed and privileges are only regained right before the utmp file is written and dropped afterwards. The second problem fixed in this patch covers some buffer overflows in font argument handling. The program uses fixed length strings but did not check for the length of user supplied arguments, which resulted in a segmentation fault, which, even worse, was able to be exploited so in connection with the first error the attacker could gain gid-utmp access (or root on other sytems than Debian).
Download: Patch.

15.2.2002: Security Fixes

hanterm

3.3.1p17

This patch fixes two problems.

The first problem fixed is broken dropping and regaining of privileges. The hanterm program runs setgid utmp normally, so it can modify the utmp file. Upon startup it drops privileges. Fine so long, but unfortunately it regains them way too early and forgets to drop them again. Hence, any problem would occur with gid=utmp, which is bad. This has been fixed and privileges are only regained right before the utmp file is written and dropped afterwards.

The second problem fixed in this patch covers some buffer overflows in font argument handling. The program uses fixed length strings but did not check for the length of user supplied arguments, which resulted in a segmentation fault, which, even worse, was able to be exploited so in connection with the first error the attacker could gain gid-utmp access (or root on other sytems than Debian).

Download: Patch.