From owner-freebsd-bugs Thu Jan 16 18:00:05 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id SAA02617 for bugs-outgoing; Thu, 16 Jan 1997 18:00:05 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id SAA02596; Thu, 16 Jan 1997 18:00:02 -0800 (PST) Resent-Date: Thu, 16 Jan 1997 18:00:02 -0800 (PST) Resent-Message-Id: <199701170200.SAA02596@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, muir@idiom.com Received: from idiom.com (root@idiom.com [140.174.82.4]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id RAA02242 for ; Thu, 16 Jan 1997 17:52:06 -0800 (PST) Received: (from muir@localhost) by idiom.com (8.8.4/8.8.3) id RAA05480; Thu, 16 Jan 1997 17:52:05 -0800 (PST) Message-Id: <199701170152.RAA05480@idiom.com> Date: Thu, 16 Jan 1997 17:52:05 -0800 (PST) From: David Muir Sharnoff Reply-To: muir@idiom.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/2511: Security bug in crontab() Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 2511 >Category: bin >Synopsis: Security bug in crontab() >Confidential: yes >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jan 16 18:00:01 PST 1997 >Last-Modified: >Originator: David Muir Sharnoff >Organization: Idiom >Release: FreeBSD 2.1-STABLE i386 >Environment: FreeBSD 2.1-stable as of about 2.1.5 Fresh -stable sources >Description: See http://www.l0pht.com/advisories.html >How-To-Repeat: See http://www.l0pht.com/advisories.html >Fix: I only spent about 10 minutes making the patch so somebody might be able to do a better job of it. Index: crontab.c =================================================================== RCS file: /usr/cvs/src/usr.sbin/cron/crontab/crontab.c,v retrieving revision 1.3.4.1 diff -c -r1.3.4.1 crontab.c *** crontab.c 1996/04/09 21:23:11 1.3.4.1 --- crontab.c 1997/01/17 01:39:08 *************** *** 43,48 **** --- 43,49 ---- #if defined(POSIX) # include #endif + #include "utmp.h" #define NHEADER_LINES 3 *************** *** 167,173 **** ProgramName, optarg); exit(ERROR_EXIT); } ! (void) strcpy(User, optarg); break; case 'l': if (Option != opt_unknown) --- 168,174 ---- ProgramName, optarg); exit(ERROR_EXIT); } ! (void) strncpy(User, optarg, UT_NAMESIZE); break; case 'l': if (Option != opt_unknown) *************** *** 198,204 **** } else { if (argv[optind] != NULL) { Option = opt_replace; ! (void) strcpy (Filename, argv[optind]); } else { usage("file name must be specified for replace"); } --- 199,205 ---- } else { if (argv[optind] != NULL) { Option = opt_replace; ! (void) strncpy (Filename, argv[optind], sizeof(Filename)); } else { usage("file name must be specified for replace"); } >Audit-Trail: >Unformatted: