-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

======================================================================
Security advisory 20031006
- ----------------------------------------------------------------------
Product: slocate
Vulnerability type: buffer overflow (corrupt heap)
Extended type: possibly gaining elevated privileges
Severity: low
Issue date: 2003/10/06
Last updated: 2003/10/06
======================================================================



Description
- -----------

Mr. Hornik has discovered buffer overflow vulnerability in slocate
version 2.6. Many Linux distributions have their slocate package based
on this version. We found at least RedHat package to be vulnerable.
The vulnerability corrupts heap management structures and possibly
leads to gaining slocate group privileges, which allows reading global
slocate database and thus obtaining list of all files in the system by
unauthorized user.


Vulnerability
- -------------

Program slocate works on user supplied database with setgid to slocate
group. With user prepared slocate database one can cause (we are
reffering to source lines from slocate-2.6-1.src.rpm from RH 7.3) that
pathlen after executing main.c:1255 will have value -1. It must be
caused by not the first path in the database because it is verified in
validate_db. Then on line main.c:1275 the last byte of memory block
header (this memory block size) will be overwritten with user suplied
value. The codedpath is never freed by the code, but it is possible to
trigger realloc on line 1269 later by data in database.

Because of not freeing some dynamic memory, using multiple databases
and multiple search patterns it should be possible to prepare heap
before triggering this vulnerability to allow later execution of
arbitrary code, thus gaining slocate group privileges. This allows
reading of global slocate database with list of all files in the
system by unauthorized user. The exploit is not available at this
time.

Suggested and correct patch is to change condition on line 1263 to
pathlen <= 0.


Who is affected?
- ----------------

Affected are all RedHat distributions up to version 9.0 including.

slocate version 2.6 and below is vulnerable. slocate version 2.7 and
all packages based on this version are not vulnerable.


Recommendations
- ---------------

We recommend to upgrade slocate package to the fixed version.

If obtaining the list of all files on the system by unauthorized user
is security risk for your system we recommend to remove slocate
database and disable automatic generation of this database (as daily
cron job) or remove slocate utility or generate database only from
safe files until fixed version is installed.


References
- ----------

This security advisory:
<http://www.ebitech.sk/patrik/SA/SA-20031006.txt>


Contact
- -------

Patrik Hornik
- --
Security Consultant

Email: patrik.hornik@ebitech.sk <mailto:patrik.hornik@ebitech.sk>
Phone: +421 905 385 666
PGP KeyID: DFA5BC67

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2i

iQA/AwUBP4GiISTdn3LfpbxnEQL15ACgufs5R/lwY0VgLoBYZQDXEMPho0IAmwZi
rx2AbvKgd9w+C4l4r+l7eulc
=Kp2V
-----END PGP SIGNATURE-----