From owner-freebsd-ports  Fri Feb  1 14:40:22 2002
Delivered-To: freebsd-ports@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 7263D37B41C
	for <freebsd-ports@hub.freebsd.org>; Fri,  1 Feb 2002 14:40:02 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g11Me2S26426;
	Fri, 1 Feb 2002 14:40:02 -0800 (PST)
	(envelope-from gnats)
Received: from kevinday.com (dsl092-133-149.chi1.dsl.speakeasy.net [66.92.133.149])
	by hub.freebsd.org (Postfix) with ESMTP id BBAFA37B404
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  1 Feb 2002 14:31:49 -0800 (PST)
Received: (from root@localhost)
	by gw.kevinday.com (8.11.6/8.11.6) id g11NGCS01848;
	Fri, 1 Feb 2002 17:16:12 -0600 (CST)
	(envelope-from toasty)
Message-Id: <200202012316.g11NGCS01848@gw.kevinday.com>
Date: Fri, 1 Feb 2002 17:16:12 -0600 (CST)
From: toasty <toasty@dragondata.com>
Reply-To: toasty <toasty@dragondata.com>
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.113
Subject: ports/34540: [PATCH] fix getenv buffer overflow in ports/editors/joe
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ports.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ports>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ports>
X-Loop: FreeBSD.org


>Number:         34540
>Category:       ports
>Synopsis:       [PATCH] fix getenv buffer overflow in ports/editors/joe
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 01 14:40:02 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     toasty
>Release:        FreeBSD 4.4-RELEASE i386
>Organization:
DragonData
>Environment:
System: FreeBSD gw.kevinday.com 4.4-RELEASE FreeBSD 4.4-RELEASE #4: Thu Jan 17 23:34:34 CST 2002 toasty@gw.kevinday.com:/usr/src/sys/compile/GW i386


>Description:

There's a buffer overflow in joe's getenv parsing of HOME, producing a
trash-the-stack style segv. Not exploitable, since joe isn't suid or a
network application or anything.

I have received two e-mails about this problem in the span of an hour, one
of which claimed to be forwarding his "advisory" to bugtraq. I'm guessing
some mailing list somewhere posted about this, but I can't find anything.

>How-To-Repeat:

bash-2.05$ export HOME=`Perl -e 'print "A" x 5000'`
bash-2.05$ joe
Segmentation fault (core dumped)

>Fix:

This should be added as ports/editors/joe/files/patch-ag


--- rc.c.orig	Fri Feb  1 16:50:23 2002
+++ rc.c	Fri Feb  1 16:50:43 2002
@@ -610,7 +610,8 @@
  FILE *fd;			/* rc file */
  int line=0;			/* Line number */
  int err=0;			/* Set to 1 if there was a syntax error */
- ossep(zcpy(buf,name));
+ strlcpy(buf,name,sizeof(buf));
+ ossep(buf);
 #ifdef __MSDOS__
  fd=fopen(buf,"rt");
 #else
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message