|
Vulnerability Development
mailing list archives
Re: New bugs discovered!
From: "Crist J. Clark" <cristjc () earthlink net>
Date: Mon, 19 Nov 2001 00:59:04 -0800
On Sun, Nov 18, 2001 at 09:04:31PM +0300, Yaroslav Klyukin wrote:
vuln-dev pisal(a):
GOBBLES security is happy to announce the discovery of multiple bugs in
/bin/gzip, which can be exploited remotely with a bit of creativity.
Attached is our advisory on the matter.
Hey, I have tried
/bin/gzip `perl -e 'print "A" x 2048'`
On Linux and FreeBSD
It didn't work.
On FreeBSD 4-STABLE, there is the following code in gzip.c,
1.8 (wosch 27-Dec-97): if (strlen(iname) >= sizeof(ifname) - 3) {
1.8 (wosch 27-Dec-97): errno = ENAMETOOLONG;
1.8 (wosch 27-Dec-97): perror(iname);
1.8 (wosch 27-Dec-97): exit_code = ERROR;
1.8 (wosch 27-Dec-97): return ERROR;
1.8 (wosch 27-Dec-97): }
1.1 (nate 18-Jun-93):
1.1 (nate 18-Jun-93): strcpy(ifname, iname);
So that's been fixed for a little under four years.
As for the particular strcpy(3) quoted in the original mail,
strcpy(nbuf,dir)
1.1 (nate 18-Jun-93): len = strlen(dir);
1.1 (nate 18-Jun-93): if (len + NLENGTH(dp) + 1 < MAX_PATH_LEN - 1) {
1.1 (nate 18-Jun-93): strcpy(nbuf,dir);
The length was actually checked first in the original '93 import.
--
Crist J. Clark | cjclark () alum mit edu
| cjclark () jhu edu
http://people.freebsd.org/~cjc/ | cjc () freebsd org
 By Date 
By Thread
Current thread:
Re: New bugs discovered! Yaroslav Klyukin (Nov 18)
Re: New bugs discovered! Larry W. Cashdollar (Nov 18)
|
Intro
