Date: Fri, 8 Feb 2002 13:59:11 +0200 From: Ruslan Ermilov <ru@FreeBSD.ORG> To: biometrix <bio.metrix@gte.net> Cc: audit@FreeBSD.ORG Subject: Re: GNU rcs suite - RCSLOCALID overflow. Message-ID: <20020208135911.B54593@sunbay.com> In-Reply-To: <20020206230233.DUPK10804.out006.verizon.net@there> References: <20020206230233.DUPK10804.out006.verizon.net@there>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 05, 2002 at 05:06:15PM +0000, biometrix wrote:
> There is a buffer overflow in the GNU RCS suite.
> It occurs in the handling of the RCSLOCALID environment variable.
>
> in /usr/src/gnu/usr.bin/rcs/lib/rcskeys.c the function setRCSLocalId() the
> variable ("string") is set from the earlier call cgetenv("RCSLOCALID")))
> If RCSLOCALID string is to large for the buffer that is about to be strcpy'd
> into local_id a warning is given in the form of :
> error("LocalId is too long");
> The error is not trapped and so a segmentation fault occurs at this line:
> VOID strcpy(local_id, key);
>
> I truncated the RCSLOCALID variable to the size of "keylength" with a
> strlcpy() call. This probably wasn't the best way of handling it? but it does
> seem to handle the error Ok.
>
> example:
> bash-2.05# export RCSLOCALID=`perl -e 'print "A" x 5000'`
> bash-2.05# rcs
> rcs: LocalId is too long
> Segmentation fault (core dumped)
> bash-2.05# /usr/src/gnu/usr.bin/rcs/rcs/rcs
> rcs: LocalId is too long. truncated RCSLOCALID
> bash-2.05#
>
Thanks for the spot! I've committed a different fix.
Cheers,
--
Ruslan Ermilov Sysadmin and DBA,
ru@sunbay.com Sunbay Software AG,
ru@FreeBSD.org FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020208135911.B54593>