Date: Thu, 23 Mar 2000 15:45:39 -0500 (EST) From: Mikhail Teterin <mi@video-collage.com> To: FreeBSD-gnats-submit@FreeBSD.org Cc: ume@FreeBSD.org, bill@gkrellm.net Subject: ports/17573: gkrellm defaults to the wrong mbox location, uses sprintf unsafely Message-ID: <200003232045.PAA83658@dufus.video-collage.com>
next in thread | raw e-mail | index | archive | help
>Number: 17573
>Category: ports
>Synopsis: gkrellm defaults to the wrong mbox location, uses sprintf unsafely
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Mar 23 12:50:02 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: Mikhail Teterin
>Release: FreeBSD 4.0-CURRENT i386
>Organization:
Virtual Estates, Inc.
>Environment:
>Description:
The wrong (for BSD) path /var/spool/mail/%s is hardcoded in mail.c
instead of /var/mail/%s ... Easy enough :)
The length of the buffer (128) seems a bit "off-the-wall". Normally,
a user-name is below 8 or 16 characters...
This patch also addresses the security hole, exploitable by setting
USER environment variable to something very-very long, but there are
plenty of other spots where sprintf is used instead of snprintf to
construct strings in buffers. A program, that wants to be installed
suid should, probably, use snprintf exclusively (or, even better --
strncat -- if it just the concatenation that's needed).
>How-To-Repeat:
>Fix:
Put the following into the port's patches/patch-mail :
--- mail.c Fri Mar 10 16:04:25 2000
+++ mail.c Thu Mar 23 15:24:21 2000
@@ -885,3 +885,3 @@
{
- sprintf(buf, "/var/spool/mail/%s", s);
+ snprintf(buf, 127, "/var/mail/%s", s);
s = buf;
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200003232045.PAA83658>