cygwin1.dll up to 1.5.22 overflow

Daniel Fdez. Bleda dfernandez@isecauditors.com
Tue Nov 13 10:40:00 GMT 2007


Dave,
> 
>   You didn't answer all our questions yet, specifically which was the
> vulnerable function.  I was hoping to get some feel for whether this could be
> exploited remotely, e.g. by uploading a long file to an ftp server, and
> whether it could be used to increase privilege, by triggering in a cygwin
> service.
The vulnerable command is "touch". We didn't analyze the code, as we
suppose is easier for you -or the maintainer coder- to locate the
vulnerable function. At least, faster. So, what is the vulnerable
function? I don't know. The vulnerability is easly exploitable, so,
you could check it fastly to be sure where is the flaw.
> 
>   The answers to those questions would determine my suggested response.  If
> any of them were 'yes', I would suggest we delete the affected versions from
> the sourceware repository and place an announcement on the cygwin.com front
> page, co-ordinated with your advisory.  If not, I would suggest that it would
> be appropriate to just release your advisory to the mailing list.
> 
>   However, Corinna is the responsible maintainer, so we should wait for her
> input.
> 
>   BTW, it's not clear from your subject line: cygwin1.dll < 1.5.22, or
> cygwin1.dll <= 1.5.22?  Which was the first fixed version?
cygwin1.dll <= 1.5.22
But I'll check it again.
> 
> 
>     cheers,
>       DaveK

Regards,



More information about the Cygwin-developers mailing list