Date: Tue, 5 Feb 2002 17:06:15 +0000 From: biometrix <bio.metrix@gte.net> To: audit@freebsd.org Subject: GNU rcs suite - RCSLOCALID overflow. Message-ID: <20020206230233.DUPK10804.out006.verizon.net@there>
next in thread | raw e-mail | index | archive | help
--------------Boundary-00=_FUK211FKIDLZVTFCWHMX Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit There is a buffer overflow in the GNU RCS suite. It occurs in the handling of the RCSLOCALID environment variable. in /usr/src/gnu/usr.bin/rcs/lib/rcskeys.c the function setRCSLocalId() the variable ("string") is set from the earlier call cgetenv("RCSLOCALID"))) If RCSLOCALID string is to large for the buffer that is about to be strcpy'd into local_id a warning is given in the form of : error("LocalId is too long"); The error is not trapped and so a segmentation fault occurs at this line: VOID strcpy(local_id, key); I truncated the RCSLOCALID variable to the size of "keylength" with a strlcpy() call. This probably wasn't the best way of handling it? but it does seem to handle the error Ok. example: bash-2.05# export RCSLOCALID=`perl -e 'print "A" x 5000'` bash-2.05# rcs rcs: LocalId is too long Segmentation fault (core dumped) bash-2.05# /usr/src/gnu/usr.bin/rcs/rcs/rcs rcs: LocalId is too long. truncated RCSLOCALID bash-2.05# The problem effects the following binaries: rcs rcsclean rcsdiff rcsmerge and rlog None of the RCS suite is setuid so no privilege escalation occurs. John Johnson. --------------Boundary-00=_FUK211FKIDLZVTFCWHMX Content-Type: text/x-diff; charset="iso-8859-1"; name="rcskeys.patch" Content-Transfer-Encoding: base64 Content-Description: patch for RCSLOCALID overflow Content-Disposition: attachment; filename="rcskeys.patch" LS0tIHJjc2tleXMub3JpZwlUdWUgRmViICA1IDE1OjAyOjQwIDIwMDIKKysrIHJjc2tleXMuYwlU dWUgRmViICA1IDE2OjM3OjA2IDIwMDIKQEAgLTIyLDExICsyMiwxNSBAQAogNTkgVGVtcGxlIFBs YWNlIC0gU3VpdGUgMzMwLCBCb3N0b24sIE1BIDAyMTExLTEzMDcsIFVTQS4KIAogUmVwb3J0IHBy b2JsZW1zIGFuZCBkaXJlY3QgYWxsIHF1ZXN0aW9ucyB0bzoKIAogICAgIHJjcy1idWdzQGNzLnB1 cmR1ZS5lZHUKKyovCiAKKy8qIFJldmlzaW9uIDUuNSAgMjAwMi8wMi8wNiAwMzo0NTo1MCAgampv aG5zb24KKyAqIHByb2JsZW0gd2l0aCBzZXRSQ1NMb2NhbElkIGZ1bmN0aW9uIHdvdWxkIGNhdXNl IHNlZ21lbnRhdGlvbiBmYXVsdAorICogaWYgUkNTTE9DQUxJRCBlbnZpcm9tZW50IHZhcmlhYmxl IHdhcyB0byBsYXJnZS4KICovCiAKIC8qCiAgKiBSZXZpc2lvbiA1LjQgIDE5OTUvMDYvMTYgMDY6 MTk6MjQgIGVnZ2VydAogICogVXBkYXRlIEZTRiBhZGRyZXNzLgpAQCAtMTY0LDEzICsxNjgsMTUg QEAKIAlpbnQgajsKIAogCWNvcHkgPSBzdHJkdXAoc3RyaW5nKTsKIAluZXh0ID0gY29weTsKIAlr ZXkgPSBzdHJ0b2sobmV4dCwgIj0iKTsKLQlpZiAoc3RybGVuKGtleSkgPiBrZXlsZW5ndGgpCi0J CWVycm9yKCJMb2NhbElkIGlzIHRvbyBsb25nIik7Ci0JVk9JRCBzdHJjcHkobG9jYWxfaWQsIGtl eSk7CisJaWYgKHN0cmxlbihrZXkpID4ga2V5bGVuZ3RoKXsKKwkJZXJyb3IoIkxvY2FsSWQgaXMg dG9vIGxvbmcuIHRydW5jYXRlZCBSQ1NMT0NBTElEIik7CisJCXN0cmxjcHkobG9jYWxfaWQsa2V5 LHNpemVvZihrZXlsZW5ndGgpKTsKKwkgICAgICAgIH0KKwlWT0lEIHN0cmxjcHkobG9jYWxfaWQs IGtleSxzaXplb2Yoa2V5bGVuZ3RoKSk7CiAJS2V5d29yZFtMb2NhbElkXSA9IGxvY2FsX2lkOwog CiAJLyogb3B0aW9ucz8gKi8KIAl3aGlsZSAoa2V5ID0gc3RydG9rKE5VTEwsICIsIikpIHsKIAkJ aWYgKCFzdHJjbXAoa2V5LCBLZXl3b3JkW0lkXSkpCg== --------------Boundary-00=_FUK211FKIDLZVTFCWHMX-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020206230233.DUPK10804.out006.verizon.net>