Date: Fri, 27 Aug 1999 09:49:50 -0600 (MDT) From: Paul Hart <hart@iserver.com> To: freebsd-security@FreeBSD.ORG Subject: Re: Buffer overflow in vixie cron? Message-ID: <Pine.BSF.3.96.990827093930.8960A-100000@anchovy.orem.iserver.com> In-Reply-To: <Pine.BSF.3.96.990826221017.8059A-100000@anchovy.orem.iserver.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 26 Aug 1999, Paul Hart wrote: > Our code already uses snprintf when using the MAILTO value, but the > original Vixie cron used sprintf without length checks in both version > 3.0 and 3.0.1. I'm assuming that's where the hole was. I take that back. On closer inspection, the Red Hat patch fixes an overflow in cron_popen() in the for loop where the command string is broken down into tokens to make an argv[] array. In the original version, Vixie cron does not keep track of how many tokens it has extracted from the command string and it looks like it will happily overwrite past the end of the stack buffer where it keeps the array it's making. Again, cron in FreeBSD appears to have already fixed this hole (yay!) but the hole appears not to have been as obvious as a string overflow. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990827093930.8960A-100000>