julien vanegue wrote:
> The problem seems to affect a lot of program , because they do not
> fill the last parameter of the syscall correcly, but it is rarely
> exploitable .
>
> int shmget(key_t key, size_t size, int shmflg);
Well, the culprit is gtk:
(gtk+-1.2.10/gdk/gdkimage.c line 214)
x_shm_info->shmid = shmget (IPC_PRIVATE,
private->ximage->bytes_per_line * private->ximage->height,
IPC_CREAT | 0777);
where the mode is explicitly set. Don't know what this will break
if it gets set to 0600.
[brane] /usr/ports/x11-toolkits/gtk12 # ipcs -p -m
Shared Memory:
T ID KEY MODE OWNER GROUP CPID LPID
m 65536 5432001 --rw------- pgsql pgsql 271 271
m 1441793 0 --rw------- iang guest 19400 324
[brane] /usr/ports/x11-toolkits/gtk12 # ps -p 19400
PID TT STAT TIME COMMAND
19400 p4 S+ 0:06.11 xmms
The little that I have linking against gtk seems to work.
Ian
--
Ian Freislich
