Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 5 Feb 2002 17:06:15 +0000
From:      biometrix <bio.metrix@gte.net>
To:        audit@freebsd.org
Subject:   GNU rcs suite -  RCSLOCALID overflow.
Message-ID:  <20020206230233.DUPK10804.out006.verizon.net@there>
next in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
There is a buffer overflow in the GNU RCS suite.
It occurs in the handling of the RCSLOCALID environment variable.

in /usr/src/gnu/usr.bin/rcs/lib/rcskeys.c the function setRCSLocalId() the 
variable ("string") is set from the earlier call cgetenv("RCSLOCALID")))
If RCSLOCALID string is to large for the buffer that is about to be strcpy'd 
into local_id a warning is given in the form of : 
error("LocalId is too long"); 
The error is not trapped and so a segmentation fault occurs at this line:
VOID strcpy(local_id, key);

I truncated the RCSLOCALID variable to the size of "keylength"  with a 
strlcpy() call. This probably wasn't the best way of handling it? but it does 
seem to handle the error Ok.

example:
bash-2.05# export RCSLOCALID=`perl -e 'print "A" x 5000'`
bash-2.05# rcs
rcs: LocalId is too long
Segmentation fault (core dumped)
bash-2.05# /usr/src/gnu/usr.bin/rcs/rcs/rcs
rcs: LocalId is too long. truncated RCSLOCALID
bash-2.05#

The problem effects the following binaries:
rcs rcsclean rcsdiff rcsmerge and rlog

None of the RCS suite is setuid so no privilege escalation occurs.

John Johnson.





[-- Attachment #2 --]
--- rcskeys.orig	Tue Feb  5 15:02:40 2002
+++ rcskeys.c	Tue Feb  5 16:37:06 2002
@@ -22,11 +22,15 @@
 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
 Report problems and direct all questions to:
 
     rcs-bugs@cs.purdue.edu
+*/
 
+/* Revision 5.5  2002/02/06 03:45:50  jjohnson
+ * problem with setRCSLocalId function would cause segmentation fault
+ * if RCSLOCALID enviroment variable was to large.
 */
 
 /*
  * Revision 5.4  1995/06/16 06:19:24  eggert
  * Update FSF address.
@@ -164,13 +168,15 @@
 	int j;
 
 	copy = strdup(string);
 	next = copy;
 	key = strtok(next, "=");
-	if (strlen(key) > keylength)
-		error("LocalId is too long");
-	VOID strcpy(local_id, key);
+	if (strlen(key) > keylength){
+		error("LocalId is too long. truncated RCSLOCALID");
+		strlcpy(local_id,key,sizeof(keylength));
+	        }
+	VOID strlcpy(local_id, key,sizeof(keylength));
 	Keyword[LocalId] = local_id;
 
 	/* options? */
 	while (key = strtok(NULL, ",")) {
 		if (!strcmp(key, Keyword[Id]))

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020206230233.DUPK10804.out006.verizon.net>