From owner-freebsd-ports  Mon Mar 30 16:50:14 1998
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA12828
          for freebsd-ports-outgoing; Mon, 30 Mar 1998 16:50:14 -0800 (PST)
          (envelope-from owner-freebsd-ports@FreeBSD.ORG)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA12804;
          Mon, 30 Mar 1998 16:50:05 -0800 (PST)
          (envelope-from gnats)
Received: from gras-varg.worldgate.com (marcs@gras-varg.worldgate.com [198.161.84.12])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA12447
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 30 Mar 1998 16:48:16 -0800 (PST)
          (envelope-from marcs@worldgate.com)
Received: (from marcs@localhost) by gras-varg.worldgate.com (8.8.8/8.6.12) id RAA08244; Mon, 30 Mar 1998 17:48:14 -0700 (MST)
Message-Id: <199803310048.RAA08244@gras-varg.worldgate.com>
Date: Mon, 30 Mar 1998 17:48:14 -0700 (MST)
From: marcs@znep.com
Reply-To: marcs@znep.com
To: FreeBSD-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: 3.2
Subject: ports/6180: youbin port has root-exploitable security hole
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         6180
>Category:       ports
>Synopsis:       youbin port has root-exploitable security hole
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 30 16:50:01 PST 1998
>Last-Modified:
>Originator:     Marc Slemko
>Organization:
>Release:        FreeBSD 2.2.6-STABLE i386
>Environment:

youbin-2.13 port as of today.

>Description:

The "youbin" program is installed setuid root but it has a hole that
is almost certainly exploitable.

"youbin -s xxxxx<many x's>" will normally cause a segmentation fault
due to no bounds checking.

The code does:
[...]
    char    server_name[MAXHOSTNAMELEN + 1];    /* Server name. */
[...]
            strcpy(server_name, optarg);

without any checking.  There are almost certainly more holes, I 
stopped looking after the first.



>How-To-Repeat:

	

>Fix:
	
The port should be marked as broken or someone needs to go through it
and fix all the holes.  Just fixing this one is not enough.

I have sent the authors a note about this.
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message