Date: Wed, 9 Dec 1998 05:10:28 -0800 (PST) From: Cy Schubert <Cy.Schubert@uumail.gov.bc.ca> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: bin/9031: bootpd.c buffer overrun Message-ID: <199812091310.FAA09756@passer.osg.gov.bc.ca>
next in thread | raw e-mail | index | archive | help
>Number: 9031
>Category: bin
>Synopsis: OpenBSD fix to bootpd remote root exploit
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Dec 9 05:20:01 PST 1998
>Last-Modified:
>Originator: Cy Schubert
>Organization:
ITSD, Province of BC
>Release: FreeBSD 2.2.8-RELEASE i386
>Environment:
FreeBSD passer.osg.gov.bc.ca 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE #0: Thu Dec 3 08:25:32 PST 1998 root@passer.osg.gov.bc.ca:/opt/usr_src-228/src/sys/compile/PASSER i386
Supplied patch will apply cleanly to 3.0 tree.
>Description:
Buffer overrun condition in bootpd.c can be remotely exploited
to obtain unauthorized root privilege.
>How-To-Repeat:
Exploit code unavailable to me.
>Fix:
The following patch will apply cleanly to 2.2 and 3.0 CVS trees.
Thanks to Theo de Raadt for creating the OpenBSD patch, which
this patch is based on.
--- /usr/src/libexec/bootpd/bootpd.c Sat Jul 18 23:52:58 1998
+++ /tmp/bootpd.c Wed Dec 9 04:56:55 1998
@@ -833,7 +833,8 @@
* daemon chroot directory (i.e. /tftpboot).
*/
if (hp->flags.tftpdir) {
- strcpy(realpath, hp->tftpdir->string);
+ strncpy(realpath, hp->tftpdir->string,sizeofr(realpath-1));
+ realpath[sizeof(realpath-1)] = '\0';
clntpath = &realpath[strlen(realpath)];
} else {
realpath[0] = '\0';
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812091310.FAA09756>