Date: Wed, 14 Dec 2011 17:12:06 +0900 (JST) From: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp> To: FreeBSD-gnats-submit@FreeBSD.org Cc: turutani@scphys.kyoto-u.ac.jp Subject: ports/163274: fix some latent buffer overflow bug Message-ID: <201112140812.pBE8C6qe008209@h120.65.226.10.32118.vlan.kuins.net> Resent-Message-ID: <201112140820.pBE8K7FA018866@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 163274 >Category: ports >Synopsis: fix some latent buffer overflow bug >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Wed Dec 14 08:20:07 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Tsurutani Naoki >Release: FreeBSD 8.2-PRERELEASE i386 >Organization: >Environment: System: FreeBSD h120.65.226.10.32118.vlan.kuins.net 8.2-PRERELEASE FreeBSD 8.2-PRERELEASE #25: Mon Jan 24 10:37:18 JST 2011 turutani@h120.65.226.10.32118.vlan.kuins.net:/usr/local/work/usr/obj/usr/src/sys/POLYMER i386 >Description: games/xshisen contains a buffer overflow vulnerability about GECOS field. also fix a bug arround high-score. >How-To-Repeat: >Fix: here are some patches: --- components.h.orig 2002-07-07 16:34:23.000000000 +0900 +++ components.h 2011-12-07 11:31:45.000000000 +0900 @@ -61,6 +61,8 @@ #define HNUM (PKIND*2) // Number of pairs to pick up #define SCORENUM 10 // Number of people to register in high-score #define NAMELEN 28 // Length of name in high-score +#define NBUFLEN 127 // Length of namebuf-1 +#define GECOSLEN (NBUFLEN-12) // Length for GECOS field-1 class Timer { private: --- score.C.orig 2002-06-16 00:20:30.000000000 +0900 +++ score.C 2011-12-14 16:34:35.000000000 +0900 @@ -73,7 +73,7 @@ date[8] = '\0'; strncpy(time, &buffer[53], 8); time[8] = '\0'; - if (date[0] == '1') { + if (date[3] == '-') { for(int i=1; i<8; i++) { date[i-1] = date[i]; } @@ -372,12 +372,12 @@ time_t t; struct tm *tp; struct passwd *pw; - char namebuf[128], myname[NAMELEN+1], gecos[128], *po; + char namebuf[NBUFLEN+1], myname[NAMELEN+1], gecos[GECOSLEN+1], *po; s1 = scoreToRegister / 1000; ms_to_hms(scoreToRegister, h, m, s); pw = getpwuid(getuid()); - strcpy(gecos, pw->pw_gecos); + strncpy(gecos, pw->pw_gecos, GECOSLEN); if ((po = strchr(gecos, ',')) != NULL) *po = 0; sprintf(namebuf, "%-8.8s (%s)", pw->pw_name, gecos); --- main.C.orig 2002-07-07 16:33:55.000000000 +0900 +++ main.C 2011-12-07 11:56:13.000000000 +0900 @@ -210,7 +210,7 @@ char buffer[100], *p; char *(*codeconv)(const char*); - strcpy(buffer, operation); + strncpy(buffer, operation, 99); if (strchr(buffer, '-') == NULL) { strcat(buffer, "-" KANJICODE); } >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201112140812.pBE8C6qe008209>