COMMAND

    elvis

SYSTEMS AFFECTED

    SuSE Linux 6.2

PROBLEM

    Way back  in August  of 1998  H D  Moore posted  a message  to the
    Bugtraq  list  about  a  handful  of  buffer  overflows in various
    utilities that shipped with SuSE  Linux 6.2.  It seems  that after
    a year and half  a few of these  bugs STILL exist.   None of these
    utilities  are  harmful  by  themselves,  just  they  may  open  a
    security hole when called  by a priviledged program  (see compress
    below).  The original message can be found here:

        http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-08-29&msg=35EE534C.B0031C53@usa.net

    elvis version 2.1_4 (compiled with default settings from source by
    Moore) file  path overflow  is fixed  in this  version (vs  2.0 in
    original  post)  but  there  is  a  new  overflow  in  the LC_ALL,
    LC_MESSAGES, LANG environment variables

        line 663: main.c
        
        char	lcfile[100];	/* combination of locale name and file name */
        
        
        line 703: main.c
        
        /* Load the verbose messages, plus a few others */
        if (((lc = getenv("LC_ALL")) != NULL && *lc)
         || ((lc = getenv("LC_MESSAGES")) != NULL && *lc)
         || ((lc = getenv("LANG")) != NULL && *lc))
        {
	        /* Try to find "elvis.msg" in a locale-dependent subdirectory.
	         * If you can't find it there, then look for the standard one.
	         */
	        strcpy(lcfile, dirpath(lc, MSG_FILE));
	        buf = bufpath(o_elvispath, lcfile, toCHAR(MSG_BUF));
	        if (!buf || o_bufchars(buf) == 0)
	        {
		        (void)bufpath(o_elvispath, MSG_FILE, toCHAR(MSG_BUF));
	        }
        }

    standard buffer  overrun at  100 bytes...   There are  also issues
    with the bufpath() and buffind() functions.

SOLUTION

    Nothing yet.