As far as I can tell, su has been fixed in Slackware 3.4.
>other privileged processes that use user-supplied data in ident for
>openlog() -- could even be a daemon setting the ident to something like
>"daemon: username" (I don't know of any such examples though).
>I have verified this is exploitable in libc 5.4.23 and RedHat's 5.3.12-18
>that comes with RH 4.2, but is fixed in 5.4.38. It can't be exploited via
>/bin/su on standard RedHat setup though.
>Actually, the behavior of Slackware's /bin/su is quite stupid anyway:
>sunny:/tmp$ ln -s /bin/su kernel
>sunny:/tmp$ export PATH=.:$PATH
>sunny:/tmp$ kernel
>Password:
>sunny:/tmp# tail -1 /var/log/messages
>Dec 20 23:32:33 sunny kernel: root on /dev/ttyp1
Again, can't duplicate this under Slackware 3.4.
>No real security hole here, but this shows it was a stupid thing to use
>argv[0] for openlog().
Gotta agree here.
<snip>
>Since you should fix the vulnerability regardless if it's exploitable via
>your version of /bin/su or not, here's a tiny program for checking if
>your libc is vulnerable. If this segfaults, you're vulnerable.
>--- syslog-check.c ---
<snip>
Under Slackware 3.4, libc 5.4.33, this code causes
<BUFFER OVERUN ATTEMPT>: message
to be logged to syslog.
-- Dann Lunsford * The only thing necessary for the triumph of evil * dann@greycat.com * is that men of good will do nothing. -- Cicero * Hiroshima 45 -- Chernobyl 86 -- Windows 95