Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Patches for 2.1.6-RELEASE locale stuff...
From: wpilorz () CELEBRIS BDK LUBLIN PL (Wojtek Pilorz)
Date: Tue, 4 Feb 1997 08:49:11 +0100


I believe that your patches have still some security problems,
as you ignore return value from snprintf.
Please find a few lines from FreeBSD snprintf man page:
     snprintf(char *str, size_t size, const char *format, ...)
     Snprintf() and vsnprintf() will write at most size-1 of the
     characters printed into the output string (the size'th character then
     gets the terminating `\0'); if the return value is greater than or equal
     to the size argument, the string was too short and some of the printed
     characters were discarded.  Sprintf() and vsprintf() effectively assume
     an infinite size.

The effect might be that the attacker could prepare a long path
in PATH_LOCALE before executing a SUID program which would
cause arbitrary file on the system to be read
(e.g. export PATH_LOCALE="/home/evil/111111111/222222222/33333333\
/XXXXXX/../../../../../home/manager/.ssh/identity", where XXXXXX is similar to the
surrounding elements)
by the startup code;
If then the attacker would be able to create a core dump ...

Anyway , you might want to look at FreeBSD-current code, where
this problem seems to be solved (in a slightly different way.


Wojtek Pilorz
Wojtek.Pilorz () bdk lublin pl


On Tue, 4 Feb 1997 tenser () SPITFIRE ECSEL PSU EDU wrote:

Date: Tue, 4 Feb 1997 04:06:01 -0000
Subject: Patches for 2.1.6-RELEASE locale stuff...

I took another look at the locale code for 2.1.6-RELEASE (availible in
/usr/src/lib/libc/locale), and tried to go though everything and look
for buffer overrun type stuff.  Here is a set of patches for the four
files I modified.  I don't guarantee that this takes care of all possible
locale security problems, but it's a start for the folks who are going
to presumably issue an advisory and official patch at some point in the
future.  These patched source files at least compile on my 386 running
2.1.6.  Any errors I might have made, I attribute to lack of sleep over
the last few days.  :-)

(Note, just to clarify: My first patch should have thwarted the startup
locale processing bug.  These patches are for other buffer overrun problems
in the locale stuff in the C library.  That first patch is also included
here for convenience.)

        - Dan C.

----- Begin 2.1.6-locale.diff
*** collate.c   1997/02/04 02:49:05     1.1
--- collate.c   1997/02/04 02:54:58
*** 66,75 ****
                return -1;
        if (!path_locale && !(path_locale = getenv("PATH_LOCALE")))
                path_locale = _PATH_LOCALE;
!       strcpy(buf, path_locale);
!       strcat(buf, "/");
!       strcat(buf, encoding);
!       strcat(buf, "/LC_COLLATE");
        if ((fp = fopen(buf, "r")) == NULL)
                return -1;
        FREAD(__collate_charmap_table, sizeof(__collate_charmap_table), 1, fp);
--- 66,73 ----
                return -1;
        if (!path_locale && !(path_locale = getenv("PATH_LOCALE")))
                path_locale = _PATH_LOCALE;
!       (void)snprintf(buf,
!               PATH_MAX, "%s/%s/LC_COLLATE", path_locale, encoding);
        if ((fp = fopen(buf, "r")) == NULL)
                return -1;
        FREAD(__collate_charmap_table, sizeof(__collate_charmap_table), 1, fp);
[patches to other files have been removed ...]

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]