From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Dec 14 08:20:08 2011 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF055106566B for ; Wed, 14 Dec 2011 08:20:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B00F58FC19 for ; Wed, 14 Dec 2011 08:20:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBE8K7qJ018867 for ; Wed, 14 Dec 2011 08:20:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBE8K7FA018866; Wed, 14 Dec 2011 08:20:07 GMT (envelope-from gnats) Resent-Date: Wed, 14 Dec 2011 08:20:07 GMT Resent-Message-Id: <201112140820.pBE8K7FA018866@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Tsurutani Naoki Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D4DF4106567B for ; Wed, 14 Dec 2011 08:13:22 +0000 (UTC) (envelope-from turutani@scphys.kyoto-u.ac.jp) Received: from smtp-auth.kuins.kyoto-u.ac.jp (smtp-auth.kuins.kyoto-u.ac.jp [133.3.248.237]) by mx1.freebsd.org (Postfix) with ESMTP id 6DC578FC17 for ; Wed, 14 Dec 2011 08:13:22 +0000 (UTC) Received: from smtp-auth.kuins.kyoto-u.ac.jp (smtp-auth.kuins.kyoto-u.ac.jp [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id A06D02EC002; Wed, 14 Dec 2011 17:13:20 +0900 (JST) Received: from h120.65.226.10.32118.vlan.kuins.net (wd232.BFL23.vectant.ne.jp [210.131.195.232]) by smtp-auth.kuins.kyoto-u.ac.jp (Postfix) with ESMTP id 7771A2EC001; Wed, 14 Dec 2011 17:13:20 +0900 (JST) Received: from h120.65.226.10.32118.vlan.kuins.net (localhost [127.0.0.1]) by h120.65.226.10.32118.vlan.kuins.net (8.14.4/8.14.4/20071004-1) with ESMTP id pBE8CBNl008216; Wed, 14 Dec 2011 17:12:11 +0900 (JST) (envelope-from turutani@h120.65.226.10.32118.vlan.kuins.net) Received: (from turutani@localhost) by h120.65.226.10.32118.vlan.kuins.net (8.14.4/8.14.4/Submit) id pBE8C6qe008209; Wed, 14 Dec 2011 17:12:06 +0900 (JST) (envelope-from turutani) Message-Id: <201112140812.pBE8C6qe008209@h120.65.226.10.32118.vlan.kuins.net> Date: Wed, 14 Dec 2011 17:12:06 +0900 (JST) From: Tsurutani Naoki To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: turutani@scphys.kyoto-u.ac.jp Subject: ports/163274: fix some latent buffer overflow bug X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Tsurutani Naoki List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Dec 2011 08:20:08 -0000 >Number: 163274 >Category: ports >Synopsis: fix some latent buffer overflow bug >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Wed Dec 14 08:20:07 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Tsurutani Naoki >Release: FreeBSD 8.2-PRERELEASE i386 >Organization: >Environment: System: FreeBSD h120.65.226.10.32118.vlan.kuins.net 8.2-PRERELEASE FreeBSD 8.2-PRERELEASE #25: Mon Jan 24 10:37:18 JST 2011 turutani@h120.65.226.10.32118.vlan.kuins.net:/usr/local/work/usr/obj/usr/src/sys/POLYMER i386 >Description: games/xshisen contains a buffer overflow vulnerability about GECOS field. also fix a bug arround high-score. >How-To-Repeat: >Fix: here are some patches: --- components.h.orig 2002-07-07 16:34:23.000000000 +0900 +++ components.h 2011-12-07 11:31:45.000000000 +0900 @@ -61,6 +61,8 @@ #define HNUM (PKIND*2) // Number of pairs to pick up #define SCORENUM 10 // Number of people to register in high-score #define NAMELEN 28 // Length of name in high-score +#define NBUFLEN 127 // Length of namebuf-1 +#define GECOSLEN (NBUFLEN-12) // Length for GECOS field-1 class Timer { private: --- score.C.orig 2002-06-16 00:20:30.000000000 +0900 +++ score.C 2011-12-14 16:34:35.000000000 +0900 @@ -73,7 +73,7 @@ date[8] = '\0'; strncpy(time, &buffer[53], 8); time[8] = '\0'; - if (date[0] == '1') { + if (date[3] == '-') { for(int i=1; i<8; i++) { date[i-1] = date[i]; } @@ -372,12 +372,12 @@ time_t t; struct tm *tp; struct passwd *pw; - char namebuf[128], myname[NAMELEN+1], gecos[128], *po; + char namebuf[NBUFLEN+1], myname[NAMELEN+1], gecos[GECOSLEN+1], *po; s1 = scoreToRegister / 1000; ms_to_hms(scoreToRegister, h, m, s); pw = getpwuid(getuid()); - strcpy(gecos, pw->pw_gecos); + strncpy(gecos, pw->pw_gecos, GECOSLEN); if ((po = strchr(gecos, ',')) != NULL) *po = 0; sprintf(namebuf, "%-8.8s (%s)", pw->pw_name, gecos); --- main.C.orig 2002-07-07 16:33:55.000000000 +0900 +++ main.C 2011-12-07 11:56:13.000000000 +0900 @@ -210,7 +210,7 @@ char buffer[100], *p; char *(*codeconv)(const char*); - strcpy(buffer, operation); + strncpy(buffer, operation, 99); if (strchr(buffer, '-') == NULL) { strcat(buffer, "-" KANJICODE); } >Release-Note: >Audit-Trail: >Unformatted: