Date: Fri, 8 Feb 2002 13:59:11 +0200 From: Ruslan Ermilov <ru@FreeBSD.ORG> To: biometrix <bio.metrix@gte.net> Cc: audit@FreeBSD.ORG Subject: Re: GNU rcs suite - RCSLOCALID overflow. Message-ID: <20020208135911.B54593@sunbay.com> In-Reply-To: <20020206230233.DUPK10804.out006.verizon.net@there> References: <20020206230233.DUPK10804.out006.verizon.net@there>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 05, 2002 at 05:06:15PM +0000, biometrix wrote: > There is a buffer overflow in the GNU RCS suite. > It occurs in the handling of the RCSLOCALID environment variable. > > in /usr/src/gnu/usr.bin/rcs/lib/rcskeys.c the function setRCSLocalId() the > variable ("string") is set from the earlier call cgetenv("RCSLOCALID"))) > If RCSLOCALID string is to large for the buffer that is about to be strcpy'd > into local_id a warning is given in the form of : > error("LocalId is too long"); > The error is not trapped and so a segmentation fault occurs at this line: > VOID strcpy(local_id, key); > > I truncated the RCSLOCALID variable to the size of "keylength" with a > strlcpy() call. This probably wasn't the best way of handling it? but it does > seem to handle the error Ok. > > example: > bash-2.05# export RCSLOCALID=`perl -e 'print "A" x 5000'` > bash-2.05# rcs > rcs: LocalId is too long > Segmentation fault (core dumped) > bash-2.05# /usr/src/gnu/usr.bin/rcs/rcs/rcs > rcs: LocalId is too long. truncated RCSLOCALID > bash-2.05# > Thanks for the spot! I've committed a different fix. Cheers, -- Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020208135911.B54593>