From xemacs-m  Thu Sep 25 10:30:29 1997
Received: from black-ice.cc.vt.edu (black-ice.cc.vt.edu [128.173.14.71])
	by xemacs.org (8.8.5/8.8.5) with ESMTP id KAA19419
	for <xemacs-beta@xemacs.org>; Thu, 25 Sep 1997 10:30:28 -0500 (CDT)
Received: from black-ice.cc.vt.edu (LOCALHOST [127.0.0.1])
	by black-ice.cc.vt.edu (8.8.7/8.8.7) with ESMTP id LAA14842;
	Thu, 25 Sep 1997 11:30:19 -0400
Message-Id: <199709251530.LAA14842@black-ice.cc.vt.edu>
To: Colin Rafferty <craffert@ml.com>
Cc: XEmacs Beta List <xemacs-beta@xemacs.org>
Subject: Re: Fatal serious (security) flaw in XEmacs 19.16/20.3 
In-Reply-To: Your message of "25 Sep 1997 10:17:29 EDT."
             <ocrsout5vgm.fsf@ml.com> 
From: Valdis.Kletnieks@vt.edu
X-Url: http://black-ice.cc.vt.edu/~valdis/
X-Face: 34C9$Ewd2zeX+\!i1BA\j{ex+$/V'JBG#;3_noWWYPa"|,I#`R"{n@w>#:{)FXyiAS7(8t(
 ^*w5O*!8O9YTe[r{e%7(yVRb|qxsRYw`7J!`AM}m_SHaj}f8eb@d^L>BrX7iO[<!v4-0bVIpaxF#-)
 %9#a9h6JXI|T|8o6t\V?kGl]Q!1V]GtNliUtz:3},0"hkPeBuu%E,j(:\iOX-P,t7lRR#
References: <m2zpp22ae9.fsf@altair.xemacs.org>
            <ocrsout5vgm.fsf@ml.com>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_-214670628P";
	 micalg=pgp-md5; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Thu, 25 Sep 1997 11:30:19 -0400

--==_Exmh_-214670628P
Content-Type: text/plain; charset=us-ascii

On 25 Sep 1997 10:17:29 EDT, you said:
> Seriously, I agree that this is a bug, but if a malicious user can get
> your XEmacs to open a too-long-named file, he can get it to run a
> `call-process' as well.

Consider gnus, or   w3 - both  have  to deal with externally  provided
filenames (gnus in attachments, w3  if you try to  'save' what a  link
points at).  I have *NOT* checked the code to see if either implements
its own  length  checking, but  if they fail  to  do so,  an  external
malicious  attacker   can hand   you a filename   you  can't  save to.
However, I  dont' think he can get  it to do a  'call-process' (unless
he's *REALLY DAMNED INCREDIBLY GOOD* at coding stack overflows. ;)

But then, if  I was going to  THAT much trouble, I'd skip call-process
and instead  clobber  the stack return   address to point at a  simple
exec("/bin/sh","my","arg","list") instead.  Templates are    available
for such things. ;)

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech


--==_Exmh_-214670628P
Content-Type: application/pgp-signature

-----BEGIN PGP MESSAGE-----
Version: 2.6.2

iQCVAwUBNCqDitQBOOoptg9JAQGvbgP+N0OOABxwW1ojkmqCDN8+L5Wr8sr6kisq
PDzxkGCEjup2L0iSQIVMg8JVYJ0LDbtP9hFOLYtlqOuRni4wO3ktuJeyw5YHVwQ0
nHyWkbXj5KQVrjguQbIPg1KfGrWVTB1ByNqClkXSgPB/qwHAeWaeLTvpDwdofIxo
w/uJ5eJSlrw=
=325j
-----END PGP MESSAGE-----

--==_Exmh_-214670628P--

