Message-ID: <email address hidden>
Date: Wed, 7 Jan 2004 12:56:53 -0800
From: Kevin Lindsay <email address hidden>
To: Matt Zimmerman <email address hidden>, <email address hidden>
Cc: Petter Reinholdtsen <email address hidden>
Subject: Re: Bug#226103: CAN-2003-0848: heap overflow in slocate
On Wed, Jan 07, 2004 at 11:04:22AM -0800, Matt Zimmerman wrote:
> On Mon, Jan 05, 2004 at 01:34:00AM +0100, Petter Reinholdtsen wrote:
>
> > This bug seem to be similar to CVE-2001-0066, reported 2000-12-17 in
> > DSA-005-1. <URL: http://www.debian.org/security/2000/20001217a >.
> >
> > Perhaps there are more problems with the database handling in slocate?
>
> Probably. I think that it is not a good idea for slocate to read and
> interpret a user-supplied database while running with setgid privileges.
> Since slocate indexes all files on the system, I don't see why this should
> be needed either.
I agree. I took a more careful look at the advisory and I will be doing an
audit on the necessary code. User defined databases were requested to handle
lookups on remote file systems which had their own databases. I think a
good plan would be to drop privileges when searching databases which do not
have the 'slocate' group assigned. Let me know if I'm missing anything.
Message-ID: <email address hidden>
Date: Wed, 7 Jan 2004 12:56:53 -0800
From: Kevin Lindsay <email address hidden>
To: Matt Zimmerman <email address hidden>, <email address hidden>
Cc: Petter Reinholdtsen <email address hidden>
Subject: Re: Bug#226103: CAN-2003-0848: heap overflow in slocate
On Wed, Jan 07, 2004 at 11:04:22AM -0800, Matt Zimmerman wrote:
> On Mon, Jan 05, 2004 at 01:34:00AM +0100, Petter Reinholdtsen wrote: www.debian. org/security/ 2000/20001217a >.
>
> > This bug seem to be similar to CVE-2001-0066, reported 2000-12-17 in
> > DSA-005-1. <URL: http://
> >
> > Perhaps there are more problems with the database handling in slocate?
>
> Probably. I think that it is not a good idea for slocate to read and
> interpret a user-supplied database while running with setgid privileges.
> Since slocate indexes all files on the system, I don't see why this should
> be needed either.
I agree. I took a more careful look at the advisory and I will be doing an
audit on the necessary code. User defined databases were requested to handle
lookups on remote file systems which had their own databases. I think a
good plan would be to drop privileges when searching databases which do not
have the 'slocate' group assigned. Let me know if I'm missing anything.
Kevin-
------- ------- ------- ------- ------- ------- ------- --
Kevin Lindsay
Fingerprint: 81E 58A3 B49A 580E EE3D 8CF0 519A 55F0 746C 51F4
Key Id: 746C51F4