Date: 4 Feb 1997 04:06:01 -0000 From: tenser@spitfire.ecsel.psu.edu To: security@freebsd.org Cc: tqbf@enteract.com, bugtraq@netspace.org Subject: Patches for 2.1.6-RELEASE locale stuff... Message-ID: <19970204040601.1016.qmail@spitfire.ecsel.psu.edu>
next in thread | raw e-mail | index | archive | help
I took another look at the locale code for 2.1.6-RELEASE (availible in
/usr/src/lib/libc/locale), and tried to go though everything and look
for buffer overrun type stuff. Here is a set of patches for the four
files I modified. I don't guarantee that this takes care of all possible
locale security problems, but it's a start for the folks who are going
to presumably issue an advisory and official patch at some point in the
future. These patched source files at least compile on my 386 running
2.1.6. Any errors I might have made, I attribute to lack of sleep over
the last few days. :-)
(Note, just to clarify: My first patch should have thwarted the startup
locale processing bug. These patches are for other buffer overrun problems
in the locale stuff in the C library. That first patch is also included
here for convenience.)
- Dan C.
----- Begin 2.1.6-locale.diff
*** collate.c 1997/02/04 02:49:05 1.1
--- collate.c 1997/02/04 02:54:58
***************
*** 66,75 ****
return -1;
if (!path_locale && !(path_locale = getenv("PATH_LOCALE")))
path_locale = _PATH_LOCALE;
! strcpy(buf, path_locale);
! strcat(buf, "/");
! strcat(buf, encoding);
! strcat(buf, "/LC_COLLATE");
if ((fp = fopen(buf, "r")) == NULL)
return -1;
FREAD(__collate_charmap_table, sizeof(__collate_charmap_table), 1, fp);
--- 66,73 ----
return -1;
if (!path_locale && !(path_locale = getenv("PATH_LOCALE")))
path_locale = _PATH_LOCALE;
! (void)snprintf(buf,
! PATH_MAX, "%s/%s/LC_COLLATE", path_locale, encoding);
if ((fp = fopen(buf, "r")) == NULL)
return -1;
FREAD(__collate_charmap_table, sizeof(__collate_charmap_table), 1, fp);
*** rune.c 1997/02/04 03:18:28 1.1
--- rune.c 1997/02/04 03:19:21
***************
*** 74,83 ****
if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE")))
PathLocale = _PATH_LOCALE;
! (void) strcpy(name, PathLocale);
! (void) strcat(name, "/");
! (void) strcat(name, encoding);
! (void) strcat(name, "/LC_CTYPE");
if ((fp = fopen(name, "r")) == NULL)
return(ENOENT);
--- 74,81 ----
if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE")))
PathLocale = _PATH_LOCALE;
! (void)snprintf(name,
! PATH_MAX, "%s/%s/LC_CTYPE", PathLocale, encoding);
if ((fp = fopen(name, "r")) == NULL)
return(ENOENT);
*** setlocale.c 1997/02/04 03:22:26 1.1
--- setlocale.c 1997/02/04 03:22:54
***************
*** 198,201 ****
--- 198,203 ----
case LC_NUMERIC:
return (NULL);
}
+
+ return(NULL); /* 2.2 has this with the comment, ``Just in Case'' */
}
*** startup_setlocale.c 1997/02/03 07:40:46 1.1
--- startup_setlocale.c 1997/02/03 07:41:47
***************
*** 174,183 ****
return(0);
}
! (void) strcpy(name, PathLocale);
! (void) strcat(name, "/");
! (void) strcat(name, encoding);
! (void) strcat(name, "/LC_CTYPE");
if ((fp = fopen(name, "r")) == NULL)
return(ENOENT);
--- 174,181 ----
return(0);
}
! (void) snprintf(name,
! PATH_MAX, "%s/%s/LC_CTYPE", PathLocale, encoding);
if ((fp = fopen(name, "r")) == NULL)
return(ENOENT);
----- End 2.1.6-locale.diff
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970204040601.1016.qmail>