Concerning possible bugs in the 'inn' package

Russ Allbery rra at stanford.edu
Sun Oct 9 05:05:12 UTC 2005


Ben Schwarz <bschwarz at EECS.berkeley.EDU> writes:

> The specific type of bug which we have found stems from the standard
> file descriptors (FDs) on a Unix system. Typically, when a process is
> started, FD 0, 1 and 2 are set to standard in, standard out, and
> standard error respectively. Subsequent uses of input and output
> functions--such as printf--will read or write from one of these three
> descriptors. Customarily, a program starts with its standard file
> descriptors opened to terminal devices. However, since the kernel does
> not enforce this convention, an attacker can force a standard file
> descriptor of a victim program to be opened to a sensitive file, so that
> he may discover confidential information from the sensitive file or
> modify the sensitive file.

[...]

> Programs with bugs:
> rnews, rnews.c line 725

I've modified rnews to burn three file descriptors on startup if it's
running with privileges.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the inn-bugs mailing list