xnec@INFERNO.TUSCULUM.EDU posted to BUGTRAQ:
greetings,
INFO:
There is a local root comprimise in /usr/bin/gnuplot version
Linux version 3.5 (pre 3.6) patchlevel beta 336. gnuplot is shipped
to install suidroot on SuSE 5.2 and maybe others. The exploit
starts as a simple $HOME buffer overflow, but much like zgv holes
in the past, it drops root privs before the overflow occurs.
However, as Nergal describes at http://www.geek-girl.com/bugtraq/1998_4/0148.html,
svgalib needs write access to /dev/mem, and we can therefore regain
root privs by overwriting our uid.
the offending code appears in plot.c where we see:
char home[80];
…
char *tmp_home=getenv(HOME);
…
strcpy(home,tmp_home);
Exploit and patch removed. A sure-fire way to correct this
is to remove the setuid bit on the file (chmod 0755
/usr/bin/gnuplot). -lt ed