Date: Tue, 5 Feb 2002 17:06:15 +0000 From: biometrix <bio.metrix@gte.net> To: audit@freebsd.org Subject: GNU rcs suite - RCSLOCALID overflow. Message-ID: <20020206230233.DUPK10804.out006.verizon.net@there>
next in thread | raw e-mail | index | archive | help
--------------Boundary-00=_FUK211FKIDLZVTFCWHMX
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
There is a buffer overflow in the GNU RCS suite.
It occurs in the handling of the RCSLOCALID environment variable.
in /usr/src/gnu/usr.bin/rcs/lib/rcskeys.c the function setRCSLocalId() the
variable ("string") is set from the earlier call cgetenv("RCSLOCALID")))
If RCSLOCALID string is to large for the buffer that is about to be strcpy'd
into local_id a warning is given in the form of :
error("LocalId is too long");
The error is not trapped and so a segmentation fault occurs at this line:
VOID strcpy(local_id, key);
I truncated the RCSLOCALID variable to the size of "keylength" with a
strlcpy() call. This probably wasn't the best way of handling it? but it does
seem to handle the error Ok.
example:
bash-2.05# export RCSLOCALID=`perl -e 'print "A" x 5000'`
bash-2.05# rcs
rcs: LocalId is too long
Segmentation fault (core dumped)
bash-2.05# /usr/src/gnu/usr.bin/rcs/rcs/rcs
rcs: LocalId is too long. truncated RCSLOCALID
bash-2.05#
The problem effects the following binaries:
rcs rcsclean rcsdiff rcsmerge and rlog
None of the RCS suite is setuid so no privilege escalation occurs.
John Johnson.
--------------Boundary-00=_FUK211FKIDLZVTFCWHMX
Content-Type: text/x-diff;
charset="iso-8859-1";
name="rcskeys.patch"
Content-Transfer-Encoding: base64
Content-Description: patch for RCSLOCALID overflow
Content-Disposition: attachment; filename="rcskeys.patch"
LS0tIHJjc2tleXMub3JpZwlUdWUgRmViICA1IDE1OjAyOjQwIDIwMDIKKysrIHJjc2tleXMuYwlU
dWUgRmViICA1IDE2OjM3OjA2IDIwMDIKQEAgLTIyLDExICsyMiwxNSBAQAogNTkgVGVtcGxlIFBs
YWNlIC0gU3VpdGUgMzMwLCBCb3N0b24sIE1BIDAyMTExLTEzMDcsIFVTQS4KIAogUmVwb3J0IHBy
b2JsZW1zIGFuZCBkaXJlY3QgYWxsIHF1ZXN0aW9ucyB0bzoKIAogICAgIHJjcy1idWdzQGNzLnB1
cmR1ZS5lZHUKKyovCiAKKy8qIFJldmlzaW9uIDUuNSAgMjAwMi8wMi8wNiAwMzo0NTo1MCAgampv
aG5zb24KKyAqIHByb2JsZW0gd2l0aCBzZXRSQ1NMb2NhbElkIGZ1bmN0aW9uIHdvdWxkIGNhdXNl
IHNlZ21lbnRhdGlvbiBmYXVsdAorICogaWYgUkNTTE9DQUxJRCBlbnZpcm9tZW50IHZhcmlhYmxl
IHdhcyB0byBsYXJnZS4KICovCiAKIC8qCiAgKiBSZXZpc2lvbiA1LjQgIDE5OTUvMDYvMTYgMDY6
MTk6MjQgIGVnZ2VydAogICogVXBkYXRlIEZTRiBhZGRyZXNzLgpAQCAtMTY0LDEzICsxNjgsMTUg
QEAKIAlpbnQgajsKIAogCWNvcHkgPSBzdHJkdXAoc3RyaW5nKTsKIAluZXh0ID0gY29weTsKIAlr
ZXkgPSBzdHJ0b2sobmV4dCwgIj0iKTsKLQlpZiAoc3RybGVuKGtleSkgPiBrZXlsZW5ndGgpCi0J
CWVycm9yKCJMb2NhbElkIGlzIHRvbyBsb25nIik7Ci0JVk9JRCBzdHJjcHkobG9jYWxfaWQsIGtl
eSk7CisJaWYgKHN0cmxlbihrZXkpID4ga2V5bGVuZ3RoKXsKKwkJZXJyb3IoIkxvY2FsSWQgaXMg
dG9vIGxvbmcuIHRydW5jYXRlZCBSQ1NMT0NBTElEIik7CisJCXN0cmxjcHkobG9jYWxfaWQsa2V5
LHNpemVvZihrZXlsZW5ndGgpKTsKKwkgICAgICAgIH0KKwlWT0lEIHN0cmxjcHkobG9jYWxfaWQs
IGtleSxzaXplb2Yoa2V5bGVuZ3RoKSk7CiAJS2V5d29yZFtMb2NhbElkXSA9IGxvY2FsX2lkOwog
CiAJLyogb3B0aW9ucz8gKi8KIAl3aGlsZSAoa2V5ID0gc3RydG9rKE5VTEwsICIsIikpIHsKIAkJ
aWYgKCFzdHJjbXAoa2V5LCBLZXl3b3JkW0lkXSkpCg==
--------------Boundary-00=_FUK211FKIDLZVTFCWHMX--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020206230233.DUPK10804.out006.verizon.net>