https://bugzilla.novell.com/show_bug.cgi?id=629236
https://bugzilla.novell.com/show_bug.cgi?id=629236#c7
--- Comment #7 from Sebastian Krahmer 2010-09-28 08:40:37 UTC ---
We already audited vlock and didnt want to make it suid.
Please see bnc#342924.
The 11.2 vlock build at least is also wrong with its plugins.
On x86_64, the binary looks in /usr/lib/vlock for plugins and scripts,
but they are located in /usr/lib64/vlock.
It is checking for / characters in pathnames, but I'd prefer
to disable execution of plugins and scripts.
Additionally theres a small bug:
diff -rup vlock-2.2.2.orig//src/util.c vlock-2.2.2/src/util.c
--- vlock-2.2.2.orig//src/util.c 2008-05-18 05:10:54.000000000 -0400
+++ vlock-2.2.2/src/util.c 2010-09-28 11:53:39.079325879 -0400
@@ -51,11 +51,11 @@ struct timespec *parse_seconds(const cha
void fatal_error(const char *format, ...)
{
- char *error;
+ char *error = NULL;
va_list ap;
va_start(ap, format);
if (vasprintf(&error, format, ap) < 0)
- error = "error while formatting error message";
+ error = strdup("error while formatting error message");
va_end(ap);
fatal_error_free(error);
}
since fatal_error_free() would call free() on a string literal.
Why does vlock need suid/sgid. Isnt unix2_chkpwd exactly for that purpose?
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.