From owner-freebsd-audit Mon Dec 2 3:58:31 2002 Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 596FD37B401 for ; Mon, 2 Dec 2002 03:58:29 -0800 (PST) Received: from straylight.ringlet.net (office.sbnd.net [217.75.140.130]) by mx1.FreeBSD.org (Postfix) with SMTP id DF80843EDE for ; Mon, 2 Dec 2002 03:58:24 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 20260 invoked by uid 1000); 2 Dec 2002 11:58:09 -0000 Date: Mon, 2 Dec 2002 13:58:09 +0200 From: Peter Pentchev To: hackers@FreeBSD.org Cc: audit@FreeBSD.org Subject: [CFR] diskpart(1) buffer overflow fix Message-ID: <20021202115809.GD372@straylight.oblivion.bg> Mail-Followup-To: hackers@FreeBSD.org, audit@FreeBSD.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lkTb+7nhmha7W+c3" Content-Disposition: inline User-Agent: Mutt/1.5.1i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --lkTb+7nhmha7W+c3 Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, As noted on the vuln-dev list recently, the diskpart(1) program in -stable is susceptible to a buffer overflow in the parsing of command-line arguments. This is a low-risk problem, since diskpart(1) is not - and has never been, and has no reason to ever be - a privileged program, but still, there should be no harm in fixing it :) Attached are two patches: a trivial one which just fixes up two problems in diskpart's argument parsing, and a more complex one, which does it "the right way" IMHO, using getopt(3). Comments? G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 =2Esiht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI --lkTb+7nhmha7W+c3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE960rR7Ri2jRYZRVMRAqUGAJ9rxkx1GtoWOm4+0Vr8JSiebpEJYwCfQuRI aL2w88/LULXk5GeP/ZW2kKI= =On5k -----END PGP SIGNATURE----- --lkTb+7nhmha7W+c3-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Dec 2 4:22:18 2002 Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8837337B401 for ; Mon, 2 Dec 2002 04:22:14 -0800 (PST) Received: from straylight.ringlet.net (office.sbnd.net [217.75.140.130]) by mx1.FreeBSD.org (Postfix) with SMTP id 56C0B43EBE for ; Mon, 2 Dec 2002 04:22:10 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 20576 invoked by uid 1000); 2 Dec 2002 12:21:50 -0000 Date: Mon, 2 Dec 2002 14:21:50 +0200 From: Peter Pentchev To: hackers@FreeBSD.org Cc: audit@FreeBSD.org Subject: Re: [CFR] diskpart(1) buffer overflow fix Message-ID: <20021202122150.GE372@straylight.oblivion.bg> Mail-Followup-To: hackers@FreeBSD.org, audit@FreeBSD.org References: <20021202115809.GD372@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pE2VAHO2njSJCslu" Content-Disposition: inline In-Reply-To: <20021202115809.GD372@straylight.oblivion.bg> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --pE2VAHO2njSJCslu Content-Type: multipart/mixed; boundary="JcvBIhDvR6w3jUPA" Content-Disposition: inline --JcvBIhDvR6w3jUPA Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 02, 2002 at 01:58:09PM +0200, Peter Pentchev wrote: > Hi, >=20 > As noted on the vuln-dev list recently, the diskpart(1) program in > -stable is susceptible to a buffer overflow in the parsing of > command-line arguments. This is a low-risk problem, since diskpart(1) > is not - and has never been, and has no reason to ever be - a privileged > program, but still, there should be no harm in fixing it :) >=20 > Attached are two patches: a trivial one which just fixes up two problems > in diskpart's argument parsing, and a more complex one, which does it > "the right way" IMHO, using getopt(3). >=20 > Comments? And a comment from myself: of course it would have been way better if I had actually attached the patches... G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I were you, who would be reading this sentence? --JcvBIhDvR6w3jUPA Content-Type: text/plain; charset=windows-1251 Content-Disposition: attachment; filename="diskpart-trivial.patch" Content-Transfer-Encoding: quoted-printable Index: src/usr.sbin/diskpart/diskpart.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/usr.sbin/diskpart/Attic/diskpart.c,v retrieving revision 1.11.2.1 diff -u -r1.11.2.1 diskpart.c --- src/usr.sbin/diskpart/diskpart.c 7 Jan 2002 06:00:23 -0000 1.11.2.1 +++ src/usr.sbin/diskpart/diskpart.c 2 Dec 2002 11:32:58 -0000 @@ -128,8 +128,6 @@ char *lp, *tyname; =20 argc--, argv++; - if (argc < 1) - usage(); if (argc > 0 && strcmp(*argv, "-p") =3D=3D 0) { pflag++; argc--, argv++; @@ -140,8 +138,10 @@ } if (argc > 1 && strcmp(*argv, "-s") =3D=3D 0) { totsize =3D atoi(argv[1]); - argc +=3D 2, argv +=3D 2; + argc -=3D 2, argv +=3D 2; } + if (argc < 1) + usage(); dp =3D getdiskbyname(*argv); if (dp =3D=3D NULL) { if (isatty(0)) --JcvBIhDvR6w3jUPA Content-Type: text/plain; charset=windows-1251 Content-Disposition: attachment; filename="usr.sbin-diskpart.patch" Content-Transfer-Encoding: quoted-printable Index: src/usr.sbin/diskpart/diskpart.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/usr.sbin/diskpart/Attic/diskpart.c,v retrieving revision 1.11.2.1 diff -u -r1.11.2.1 diskpart.c --- src/usr.sbin/diskpart/diskpart.c 7 Jan 2002 06:00:23 -0000 1.11.2.1 +++ src/usr.sbin/diskpart/diskpart.c 20 Nov 2002 15:14:46 -0000 @@ -55,6 +55,7 @@ #include #include #include +#include =20 #define for_now /* show all of `c' partition for disklabel */ #define NPARTITIONS 8 @@ -126,22 +127,30 @@ int threshhold, numcyls[NPARTITIONS], startcyl[NPARTITIONS]; int totsize =3D 0; char *lp, *tyname; + int ch; =20 - argc--, argv++; + while ((ch =3D getopt(argc, argv, "dps:")) !=3D EOF) + switch (ch) { + case 'd': + dflag++; + if (pflag) + usage(); + break; + =09 + case 'p': + if (dflag) + usage(); + pflag++; + break; + + case 's': + totsize =3D atoi(optarg); + break; + } + argc -=3D optind; + argv +=3D optind; if (argc < 1) usage(); - if (argc > 0 && strcmp(*argv, "-p") =3D=3D 0) { - pflag++; - argc--, argv++; - } - if (argc > 0 && strcmp(*argv, "-d") =3D=3D 0) { - dflag++; - argc--, argv++; - } - if (argc > 1 && strcmp(*argv, "-s") =3D=3D 0) { - totsize =3D atoi(argv[1]); - argc +=3D 2, argv +=3D 2; - } dp =3D getdiskbyname(*argv); if (dp =3D=3D NULL) { if (isatty(0)) --JcvBIhDvR6w3jUPA-- --pE2VAHO2njSJCslu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE961Be7Ri2jRYZRVMRAtfiAKC4Drmq+9vCG7rspKn9f9fBaT943QCfZGuJ y/X50BhA3AL1Kl5IPXZvEJ0= =wZHz -----END PGP SIGNATURE----- --pE2VAHO2njSJCslu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Dec 2 4:38: 2 2002 Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 179A437B401; Mon, 2 Dec 2002 04:38:01 -0800 (PST) Received: from melusine.cuivre.fr.eu.org (melusine.cuivre.fr.eu.org [62.212.105.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7823743E4A; Mon, 2 Dec 2002 04:38:00 -0800 (PST) (envelope-from thomas@FreeBSD.ORG) Received: by melusine.cuivre.fr.eu.org (Postfix, from userid 1000) id DE5A22C3D1; Mon, 2 Dec 2002 13:37:52 +0100 (CET) Date: Mon, 2 Dec 2002 13:37:52 +0100 From: Thomas Quinot To: Peter Pentchev Cc: hackers@FreeBSD.org, audit@FreeBSD.org Subject: Re: [CFR] diskpart(1) buffer overflow fix Message-ID: <20021202123752.GA62114@melusine.cuivre.fr.eu.org> Reply-To: Thomas Quinot References: <20021202115809.GD372@straylight.oblivion.bg> <20021202122150.GE372@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20021202122150.GE372@straylight.oblivion.bg> User-Agent: Mutt/1.4i X-message-flag: WARNING! Using Outlook can damage your computer. Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Le 2002-12-02, Peter Pentchev écrivait : > > Attached are two patches: a trivial one which just fixes up two problems > > in diskpart's argument parsing, and a more complex one, which does it > > "the right way" IMHO, using getopt(3). The getopt-based version sounds better to me. > + case 'd': > + dflag++; > + if (pflag) > + usage(); > + break; > + > + case 'p': > + if (dflag) > + usage(); > + pflag++; > + break; I'd remove both tests and replace them with a single if (pflag && dflag) usage() after all arguments have been processed. Thomas. -- Thomas.Quinot@Cuivre.FR.EU.ORG To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Dec 2 4:47: 3 2002 Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F88337B401 for ; Mon, 2 Dec 2002 04:47:00 -0800 (PST) Received: from straylight.ringlet.net (office.sbnd.net [217.75.140.130]) by mx1.FreeBSD.org (Postfix) with SMTP id 9F74D43EBE for ; Mon, 2 Dec 2002 04:46:56 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 20862 invoked by uid 1000); 2 Dec 2002 12:46:42 -0000 Date: Mon, 2 Dec 2002 14:46:42 +0200 From: Peter Pentchev To: Thomas Quinot Cc: hackers@FreeBSD.org, audit@FreeBSD.org Subject: Re: [CFR] diskpart(1) buffer overflow fix Message-ID: <20021202124641.GH372@straylight.oblivion.bg> Mail-Followup-To: Thomas Quinot , hackers@FreeBSD.org, audit@FreeBSD.org References: <20021202115809.GD372@straylight.oblivion.bg> <20021202122150.GE372@straylight.oblivion.bg> <20021202123752.GA62114@melusine.cuivre.fr.eu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fLj60tP2PZ34xyqD" Content-Disposition: inline In-Reply-To: <20021202123752.GA62114@melusine.cuivre.fr.eu.org> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --fLj60tP2PZ34xyqD Content-Type: multipart/mixed; boundary="QxN5xOWGsmh5a4wb" Content-Disposition: inline --QxN5xOWGsmh5a4wb Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 02, 2002 at 01:37:52PM +0100, Thomas Quinot wrote: > Le 2002-12-02, Peter Pentchev ?crivait : >=20 > > > Attached are two patches: a trivial one which just fixes up two probl= ems > > > in diskpart's argument parsing, and a more complex one, which does it > > > "the right way" IMHO, using getopt(3). >=20 > The getopt-based version sounds better to me. >=20 > > + case 'd': > > + dflag++; > > + if (pflag) > > + usage(); > > + break; > > + =09 > > + case 'p': > > + if (dflag) > > + usage(); > > + pflag++; > > + break; >=20 > I'd remove both tests and replace them with a single > if (pflag && dflag) usage() > after all arguments have been processed. Ahhh; of course this would be better. Updated patch attached. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If there were no counterfactuals, this sentence would not have been paradox= ical. --QxN5xOWGsmh5a4wb Content-Type: text/plain; charset=windows-1251 Content-Disposition: attachment; filename="usr.sbin-diskpart.patch" Content-Transfer-Encoding: quoted-printable Index: src/usr.sbin/diskpart/diskpart.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/usr.sbin/diskpart/Attic/diskpart.c,v retrieving revision 1.11.2.1 diff -u -r1.11.2.1 diskpart.c --- src/usr.sbin/diskpart/diskpart.c 7 Jan 2002 06:00:23 -0000 1.11.2.1 +++ src/usr.sbin/diskpart/diskpart.c 2 Dec 2002 12:45:27 -0000 @@ -55,6 +55,7 @@ #include #include #include +#include =20 #define for_now /* show all of `c' partition for disklabel */ #define NPARTITIONS 8 @@ -126,22 +127,29 @@ int threshhold, numcyls[NPARTITIONS], startcyl[NPARTITIONS]; int totsize =3D 0; char *lp, *tyname; + int ch; =20 - argc--, argv++; + while ((ch =3D getopt(argc, argv, "dps:")) !=3D EOF) + switch (ch) { + case 'd': + dflag++; + break; + =09 + case 'p': + pflag++; + break; + + case 's': + totsize =3D atoi(optarg); + break; + } + argc -=3D optind; + argv +=3D optind; + + if (dflag && pflag) + usage(); if (argc < 1) usage(); - if (argc > 0 && strcmp(*argv, "-p") =3D=3D 0) { - pflag++; - argc--, argv++; - } - if (argc > 0 && strcmp(*argv, "-d") =3D=3D 0) { - dflag++; - argc--, argv++; - } - if (argc > 1 && strcmp(*argv, "-s") =3D=3D 0) { - totsize =3D atoi(argv[1]); - argc +=3D 2, argv +=3D 2; - } dp =3D getdiskbyname(*argv); if (dp =3D=3D NULL) { if (isatty(0)) --QxN5xOWGsmh5a4wb-- --fLj60tP2PZ34xyqD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE961Yx7Ri2jRYZRVMRAlB6AJsGIHbaIiOpb/+1kkCszSGzKsJjeQCfZvFa HT9yhe6vNIDvwpvqgPYmsSk= =M70Q -----END PGP SIGNATURE----- --fLj60tP2PZ34xyqD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Dec 2 11: 0:22 2002 Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B1D837B41B for ; Mon, 2 Dec 2002 11:00:21 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4A1443EAF for ; Mon, 2 Dec 2002 11:00:20 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id gB2J0Kx3027169 for ; Mon, 2 Dec 2002 11:00:20 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id gB2J0KJb027163 for audit@freebsd.org; Mon, 2 Dec 2002 11:00:20 -0800 (PST) Date: Mon, 2 Dec 2002 11:00:20 -0800 (PST) Message-Id: <200212021900.gB2J0KJb027163@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: audit@FreeBSD.org Subject: Current problem reports assigned to you Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Current FreeBSD problem reports Critical problems Serious problems Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [1999/01/28] bin/9770 audit An openpty(3) auxiliary program 1 problem total. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Dec 2 15:20:58 2002 Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E551637B401; Mon, 2 Dec 2002 15:20:57 -0800 (PST) Received: from melusine.cuivre.fr.eu.org (melusine.cuivre.fr.eu.org [62.212.105.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 575FC43EB2; Mon, 2 Dec 2002 15:20:57 -0800 (PST) (envelope-from thomas@FreeBSD.ORG) Received: by melusine.cuivre.fr.eu.org (Postfix, from userid 1000) id 2B5302C3D5; Tue, 3 Dec 2002 00:20:54 +0100 (CET) Date: Tue, 3 Dec 2002 00:20:54 +0100 From: Thomas Quinot To: Thomas Quinot , hackers@FreeBSD.org, audit@FreeBSD.org Subject: Re: [CFR] diskpart(1) buffer overflow fix Message-ID: <20021202232054.GC92328@melusine.cuivre.fr.eu.org> Reply-To: Thomas Quinot References: <20021202115809.GD372@straylight.oblivion.bg> <20021202122150.GE372@straylight.oblivion.bg> <20021202123752.GA62114@melusine.cuivre.fr.eu.org> <20021202124641.GH372@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20021202124641.GH372@straylight.oblivion.bg> User-Agent: Mutt/1.4i X-message-flag: WARNING! Using Outlook can damage your computer. Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Le 2002-12-02, Peter Pentchev écrivait : > Ahhh; of course this would be better. Updated patch attached. Looks fine. Thomas. -- Thomas.Quinot@Cuivre.FR.EU.ORG To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message