Date: Sun, 29 Apr 2001 01:54:48 -0700 From: Kris Kennaway <kris@obsecurity.org> To: audit@FreeBSD.org Subject: CTM fixes Message-ID: <20010429015448.A76638@xor.obsecurity.org>
next in thread | raw e-mail | index | archive | help
--XsQoSWH+UP9D9v3l
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Please review the following patch. It contains the following changes:
* fix ctm(8) to use mkstemp() instead of tempnam() for tempfile
creation.
* Tag the internal err() function with __printflike to allow checking
for non-constant format string arguments (none exist)
* Use fmtcheck() to sanitize the tar command obtained via -t to make
sure it doesn't contain extraneous format operators.
Kris
Index: ctm/ctm_pass2.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/usr.sbin/ctm/ctm/ctm_pass2.c,v
retrieving revision 1.18
diff -u -r1.18 ctm_pass2.c
--- ctm/ctm_pass2.c 2000/01/15 19:45:18 1.18
+++ ctm/ctm_pass2.c 2001/04/29 08:53:53
@@ -22,7 +22,7 @@
{
u_char *p,*q,*md5=3D0;
MD5_CTX ctx;
- int i,j,sep,cnt;
+ int i,j,sep,cnt,fdesc;
u_char *trash=3D0,*name=3D0;
struct CTM_Syntax *sp;
struct stat st;
@@ -31,6 +31,7 @@
char md5_1[33];
struct CTM_Filter *filter;
FILE *ed =3D NULL;
+ static char *template =3D NULL;
=20
if(Verbose>3)
printf("Pass2 -- Checking if CTM-patch will apply\n");
@@ -187,8 +188,37 @@
GETDATA(trash,cnt);
if (!match)
break;
+ if (!template) {
+ if (asprintf(&template, "%s/CTMclientXXXXXX",
+ TmpDir) =3D=3D -1) {
+ fprintf(stderr, " %s: malloc failed.\n",
+ sp->Key);
+ ret |=3D Exit_Mess;
+ return ret;
+ }
+ }
if(!strcmp(sp->Key,"FN")) {
- p =3D tempnam(TmpDir,"CTMclient");
+ if ((p =3D strdup(template)) =3D=3D NULL) {
+ fprintf(stderr, " %s: malloc failed.\n",
+ sp->Key);
+ ret |=3D Exit_Mess;
+ return ret;
+ }
+ if ((fdesc =3D mkstemp(p)) =3D=3D -1) {
+ fprintf(stderr, " %s: mkstemp failed.\n",
+ sp->Key);
+ ret |=3D Exit_Mess;
+ Free(p);
+ return ret;
+ }
+ if (close(fdesc) =3D=3D -1) {
+ fprintf(stderr, " %s: close failed.\n",
+ sp->Key);
+ ret |=3D Exit_Mess;
+ unlink(p);
+ Free(p);
+ return ret;
+ }
j =3D ctm_edit(trash,cnt,name,p);
if(j) {
fprintf(stderr," %s: %s edit returned %d.\n",
@@ -208,7 +238,27 @@
unlink(p);
Free(p);
} else if (!strcmp(sp->Key,"FE")) {
- p =3D tempnam(TmpDir,"CTMclient");
+ if ((p =3D strdup(template)) =3D=3D NULL) {
+ fprintf(stderr, " %s: malloc failed.\n",
+ sp->Key);
+ ret |=3D Exit_Mess;
+ return ret;
+ }
+ if ((fdesc =3D mkstemp(p)) =3D=3D -1) {
+ fprintf(stderr, " %s: mkstemp failed.\n",
+ sp->Key);
+ ret |=3D Exit_Mess;
+ Free(p);
+ return ret;
+ }
+ if (close(fdesc) =3D=3D -1) {
+ fprintf(stderr, " %s: close failed.\n",
+ sp->Key);
+ ret |=3D Exit_Mess;
+ unlink(p);
+ Free(p);
+ return ret;
+ }
ed =3D popen("ed","w");
if (!ed) {
WRONG
Index: ctm/ctm_passb.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/usr.sbin/ctm/ctm/ctm_passb.c,v
retrieving revision 1.5
diff -u -r1.5 ctm_passb.c
--- ctm/ctm_passb.c 1999/08/28 01:16:00 1.5
+++ ctm/ctm_passb.c 2001/04/29 08:47:31
@@ -36,7 +36,7 @@
printf("PassB -- Backing up files which would be changed.\n");
=20
MD5Init (&ctx);
- sprintf(buf, TarCmd, BackupFile);
+ snprintf(buf, sizeof(buf), fmtcheck(TarCmd, TARCMD), BackupFile);
b=3Dpopen(buf, "w");
if(!b) { warn("%s", buf); return Exit_Garbage; }
=20
Index: ctm_rmail/error.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/usr.sbin/ctm/ctm_rmail/error.c,v
retrieving revision 1.2
diff -u -r1.2 error.c
--- ctm_rmail/error.c 1995/02/25 05:10:18 1.2
+++ ctm_rmail/error.c 2001/04/29 08:48:56
@@ -58,7 +58,7 @@
* decoded and appended.
*/
void
-err(char *fmt, ...)
+err(const char *fmt, ...)
{
va_list ap;
time_t now;
Index: ctm_rmail/error.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/src/usr.sbin/ctm/ctm_rmail/error.h,v
retrieving revision 1.1
diff -u -r1.1 error.h
--- ctm_rmail/error.h 1995/01/31 19:12:41 1.1
+++ ctm_rmail/error.h 2001/04/29 08:49:05
@@ -1,3 +1,3 @@
extern void err_set_log(char *log_file);
extern void err_prog_name(char *name);
-extern void err(char *fmt, ...);
+extern void err(const char *fmt, ...) __printflike(1, 2);
--XsQoSWH+UP9D9v3l
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE669bYWry0BWjoQKURAnYmAKDiOJKXlWHAKDECTz+Nl7NLVEP/BACdGzdW
qCx0kd7roJGXYozVF78DWwM=
=TtaU
-----END PGP SIGNATURE-----
--XsQoSWH+UP9D9v3l--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010429015448.A76638>