Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Jan 1997 17:52:05 -0800 (PST)
From:      David Muir Sharnoff <muir@idiom.com>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/2511: Security bug in crontab()
Message-ID:  <199701170152.RAA05480@idiom.com>
Resent-Message-ID: <199701170200.SAA02596@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         2511
>Category:       bin
>Synopsis:       Security bug in crontab()
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 16 18:00:01 PST 1997
>Last-Modified:
>Originator:     David Muir Sharnoff
>Organization:
Idiom
>Release:        FreeBSD 2.1-STABLE i386
>Environment:

	FreeBSD 2.1-stable as of about 2.1.5
	Fresh -stable sources

>Description:

	See http://www.l0pht.com/advisories.html

>How-To-Repeat:

	See http://www.l0pht.com/advisories.html

>Fix:

I only spent about 10 minutes making the patch so somebody might
be able to do a better job of it.
	
Index: crontab.c
===================================================================
RCS file: /usr/cvs/src/usr.sbin/cron/crontab/crontab.c,v
retrieving revision 1.3.4.1
diff -c -r1.3.4.1 crontab.c
*** crontab.c	1996/04/09 21:23:11	1.3.4.1
--- crontab.c	1997/01/17 01:39:08
***************
*** 43,48 ****
--- 43,49 ----
  #if defined(POSIX)
  # include <locale.h>
  #endif
+ #include "utmp.h"
  
  
  #define NHEADER_LINES 3
***************
*** 167,173 ****
  					ProgramName, optarg);
  				exit(ERROR_EXIT);
  			}
! 			(void) strcpy(User, optarg);
  			break;
  		case 'l':
  			if (Option != opt_unknown)
--- 168,174 ----
  					ProgramName, optarg);
  				exit(ERROR_EXIT);
  			}
! 			(void) strncpy(User, optarg, UT_NAMESIZE);
  			break;
  		case 'l':
  			if (Option != opt_unknown)
***************
*** 198,204 ****
  	} else {
  		if (argv[optind] != NULL) {
  			Option = opt_replace;
! 			(void) strcpy (Filename, argv[optind]);
  		} else {
  			usage("file name must be specified for replace");
  		}
--- 199,205 ----
  	} else {
  		if (argv[optind] != NULL) {
  			Option = opt_replace;
! 			(void) strncpy (Filename, argv[optind], sizeof(Filename));
  		} else {
  			usage("file name must be specified for replace");
  		}

>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701170152.RAA05480>