Date: Wed, 9 Dec 1998 05:10:28 -0800 (PST) From: Cy Schubert <Cy.Schubert@uumail.gov.bc.ca> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: bin/9031: bootpd.c buffer overrun Message-ID: <199812091310.FAA09756@passer.osg.gov.bc.ca>
next in thread | raw e-mail | index | archive | help
>Number: 9031 >Category: bin >Synopsis: OpenBSD fix to bootpd remote root exploit >Confidential: no >Severity: critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Dec 9 05:20:01 PST 1998 >Last-Modified: >Originator: Cy Schubert >Organization: ITSD, Province of BC >Release: FreeBSD 2.2.8-RELEASE i386 >Environment: FreeBSD passer.osg.gov.bc.ca 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE #0: Thu Dec 3 08:25:32 PST 1998 root@passer.osg.gov.bc.ca:/opt/usr_src-228/src/sys/compile/PASSER i386 Supplied patch will apply cleanly to 3.0 tree. >Description: Buffer overrun condition in bootpd.c can be remotely exploited to obtain unauthorized root privilege. >How-To-Repeat: Exploit code unavailable to me. >Fix: The following patch will apply cleanly to 2.2 and 3.0 CVS trees. Thanks to Theo de Raadt for creating the OpenBSD patch, which this patch is based on. --- /usr/src/libexec/bootpd/bootpd.c Sat Jul 18 23:52:58 1998 +++ /tmp/bootpd.c Wed Dec 9 04:56:55 1998 @@ -833,7 +833,8 @@ * daemon chroot directory (i.e. /tftpboot). */ if (hp->flags.tftpdir) { - strcpy(realpath, hp->tftpdir->string); + strncpy(realpath, hp->tftpdir->string,sizeofr(realpath-1)); + realpath[sizeof(realpath-1)] = '\0'; clntpath = &realpath[strlen(realpath)]; } else { realpath[0] = '\0'; >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812091310.FAA09756>