Date: Tue, 07 Dec 1999 12:46:18 -0700 From: tstromberg@rtci.com To: freebsd-audit@freebsd.org Subject: FW: Buffer overflows Message-ID: <84714733.944601517508.JavaMail.chenresig@karma>
next in thread | raw e-mail | index | archive | help
This was sent to me by Theo DeRaadt (everyone on this list should be familiar with him). I thought you guys might be interested since we seem to be helping each other quite a bit. We may want to integrate several of their programs as we see here, or at least apply similar fixes if need be.
On a side note, I managed to accidentally trash all of my testing data by removing the wrong directory, but at least it's forced me to rewrite some large portions of the testing code. I've added (and fixed) several more tests, and found an interim solutions to all of the lovely zombies I've been getting. Hopefully the zombie fixes will mean less reboots for me in -CURRENT.
I guess this means I get to re-run through all of the binaries, this time however I'll have simultaneous testing with -CURRENT, two -STABLE machines, Solaris 7. Right now I've got one of our admins installing an OpenBSD 2.6 system for tests as well.
Hi Thomas.
Referencing:
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=41804+0+current/freebsd-audit
--------------------
07DEC99 /usr/sbin/fsinfo fsinfo -D [3000]
07DEC99 /usr/bin/tconv set $TERMCAP to [2000], tconv -D blah
These are not in openbsd.
07DEC99 /usr/libexec/f771 stdin overflow, echo [2000] | f771 -G
OpenBSD f77 does not show this bug; we use the brand new gcc
2.95.1 codebase.
07DEC99 /usr/bin/rs stdin overflow, echo [1000] | rs (handled)
revision 1.2
date: 1996/05/21 21:37:11; author: deraadt; state: Exp; lines: +46 -45
avoid divide-by-zero trap when specifying small widths
do not overrun entry array when printing output tables
cleanup storage allocation for entries
use err/warn etc.
07DEC99 /usr/libexec/getty stdin overflow, echo [2000] | getty -x
Just fixed.
revision 1.13
date: 1999/12/07 19:24:27; author: deraadt; state: Exp; lines: +7 -5
do not crash if stdin is not a tty
07DEC99 /usr/libexec/elf/as as [65000]
07DEC99 /usr/libexec/aout/as as [65000]
Cannot reproduce.
07DEC99 /usr/bin/rpcgen rpcgen -Y [8192]
revision 1.4
date: 1999/12/04 21:58:31; author: deraadt; state: Exp; lines: +6 -5
oflow
Note the date very carefully. That's what I call 'proactive'
07DEC99 /usr/bin/jot jot -w [8192] (all args)
revision 1.4
date: 1999/12/04 21:28:34; author: deraadt; state: Exp; lines: +8 -4
more oflows
Again, note the date.
07DEC99 /usr/bin/indent set $HOME to [8192]
revision 1.3
date: 1996/10/28 00:36:23; author: millert; state: Exp; lines: +7 -2
Safe $HOME usage.
03DEC99 /usr/bin/error error -I [16384]
revision 1.5
date: 1999/12/04 00:16:52; author: deraadt; state: Exp; lines: +11 -9
avoid overflows
03DEC99 /usr/bin/fsplit fsplit -e [16384]
We have not fixed the 10 problems in fsplit yet. We may just remove
it, since noone uses it.
03DEC99 /usr/bin/grops grops -c blah [16384]
Not fixed yet.
03DEC99 /usr/bin/patch patch -r [16384]
patch.c:
----------------------------
revision 1.13
date: 1999/12/04 01:01:06; author: provos; state: Exp; lines: +9 -5
avoid overflows
util.c
revision 1.9
date: 1999/12/04 21:00:03; author: provos; state: Exp; lines: +19 -40
a few more overflows gone
----------------------------
revision 1.8
date: 1999/12/04 01:04:14; author: provos; state: Exp; lines: +3 -3
revert strlcpy to strcpy for one case.
----------------------------
revision 1.7
date: 1999/12/04 01:01:07; author: provos; state: Exp; lines: +12 -9
avoid overflows
pch.c
revision 1.10
date: 1999/12/04 01:01:07; author: provos; state: Exp; lines: +7 -7
avoid overflows
----------------------------
03DEC99 /usr/bin/pr+ pr -s [16384]
date: 1999/12/03 23:43:02; author: deraadt; state: Exp; lines: +8 -7
the -s option was broken; spotted by tstromberg@rtci.com on freebsd-audit,
but i have not seen them fix any of the bugs
That one includes a little bit of realistic commentary.
03DEC99 /usr/bin/ypcat+ ypcat -d [16384] blah <libc!>
This bug was fixed almost 4 years ago.
03DEC99 /usr/libexec/aout/as stdin overflow, echo [16384] | as -I
This bug still exists.
30NOV99 /usr/bin/awk awk -f [8192]
We use a different awk; the true Kernighan version.
That said, we found other bugs and fixed them:
revision 1.8
date: 1999/12/04 00:12:25; author: millert; state: Exp; lines: +6 -2
Fix 2 core dumps:
1) give an error if the user specifies > 20 -f options instead of oflowing
2) use snprintf in the ERROR macro to avoid an oflow
30NOV99 /usr/bin/ee set $NLSPATH to [32769]
30NOV99 /usr/bin/doscmd doscmd [4000]
Not in OpenBSD.
30NOV99 /usr/bin/dnsquery dnsquery [4000]
revision 1.4
date: 1999/12/04 00:22:34; author: deraadt; state: Exp; lines: +15 -4
avoid overflow
30NOV99 /usr/bin/dig dig -k [16000]
This is a disaster. We've not fixed it yet.
30NOV99 /usr/bin/crunchgen crunchgen [8192]
revision 1.15
date: 1999/12/06 01:47:58; author: deraadt; state: Exp; lines: +46 -16
oflow fixes; provos
30NOV99 /usr/bin/colldef colldef -I [8192]
Not in OpenBSD.
30NOV99 /usr/bin/captoinfo set $TERMCAP to [32769]
Not reproduceable. We use brand new ncurses.
30NOV99 /usr/bin/banner+ banner [8192]
Must have been a bug introduced by FreeBSD.
30NOV99 /usr/bin/as as [8192]
Not reproduceable.
30NOV99 /usr/bin/apply startslip -d [8192] -c [8192]
revision 1.6
date: 1999/12/03 23:55:18; author: deraadt; state: Exp; lines: +3 -3
off by one for string length calculation
Note that FreeBSD has the same fix, but this patch went out a few hours
before it was fixed in FreeBSD....
30NOV99 /usr/bin/Mail set $HOME to [32769]
revision 1.4
date: 1996/10/28 00:42:21; author: millert; state: Exp; lines: +3 -3
Ignore $HOME if > MAXPATHLEN
30NOV99 /sbin/startslip startslip -d [8192] -c [8192]
30NOV99 /sbin/natd natd -w [16384] blah
Not in OpenBSD.
30NOV99 /sbin/mount_mfs mount_mfs [8192] [8192]
Bug not in OpenBSD.
30NOV99 /sbin/dhclient dhclient [40000]
revision 1.7
date: 1999/12/04 00:15:09; author: angelos; state: Exp; lines: +2 -2
Careful with long, command-line provided interface names.
30NOV99 /bin/red red [40000]
30NOV99 /bin/ed ed [40000]
revision 1.14
date: 1998/05/18 20:36:14; author: deraadt; state: Exp; lines: +27 -13
buf oflows
15NOV99 /usr/bin/systat* race condition with bad exit
I have never seen that bug. I do know of another two bugs in systat,
not security related, but have not managed to reproduce them.
10NOV99 /sbin/rdump*+ dump -0 [1024] <libc!>
10NOV99 /sbin/dump*+ dump -0 [1024] <libc!>
Numerous fixes over the years for buffer overflows, including:
revision 1.25
date: 1998/11/24 01:25:47; author: deraadt; state: Exp; lines: +2 -2
Wall, and do not let tapesize overflow
--------------------
revision 1.21
date: 1998/08/07 17:29:25; author: millert; state: Exp; lines: +23 -23
Use strlcpy() instead of strncpy().
Change the order of name -> raw device conversions
1) statfs the name and use that info iff the name is the mount point
2) look up name in fstab
3) treat as a device
The reason for this is that the mounted filesystems may not agree with
what fstab says. Anyone who has ever moved disks around and accidentally
dumped and empty filesystem will know what I mean.
--------------------
revision 1.9
date: 1996/09/14 03:26:02; author: millert; state: Exp; lines: +1 -2
Now uses "wall -g" so no need to be setgid tty. This makes $RSH work.
Also fix buf oflow.
----
revision 1.5
date: 1996/08/02 10:26:48; author: deraadt; state: Exp; lines: +3 -3
mostly harmless buffer overflow
I grant you permission to re-post this to the freebsd mailing lists. I don't
post there, but you may repost this, if it helps your cause.
If there is any doubt as to what the freebsd-audit project is, and how
freebsd deals with code quality concerns, this should be it.
But moreso, it says who OpenBSD is. OpenBSD people -- we've got a few more
bugs to squish.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?84714733.944601517508.JavaMail.chenresig>