From owner-freebsd-audit Wed Feb 6 15: 2:51 2002 Delivered-To: freebsd-audit@freebsd.org Received: from out006.verizon.net (out006pub.verizon.net [206.46.170.106]) by hub.freebsd.org (Postfix) with ESMTP id 5442A37B422 for ; Wed, 6 Feb 2002 15:02:45 -0800 (PST) Received: from there ([4.61.185.117]) by out006.verizon.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP id <20020206230233.DUPK10804.out006.verizon.net@there> for ; Wed, 6 Feb 2002 17:02:33 -0600 From: biometrix Reply-To: bio.metrix@gte.net Organization: NAIS To: audit@freebsd.org Subject: GNU rcs suite - RCSLOCALID overflow. Date: Tue, 5 Feb 2002 17:06:15 +0000 X-Mailer: KMail [version 1.3.2] MIME-Version: 1.0 Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_FUK211FKIDLZVTFCWHMX" Message-Id: <20020206230233.DUPK10804.out006.verizon.net@there> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --------------Boundary-00=_FUK211FKIDLZVTFCWHMX Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit There is a buffer overflow in the GNU RCS suite. It occurs in the handling of the RCSLOCALID environment variable. in /usr/src/gnu/usr.bin/rcs/lib/rcskeys.c the function setRCSLocalId() the variable ("string") is set from the earlier call cgetenv("RCSLOCALID"))) If RCSLOCALID string is to large for the buffer that is about to be strcpy'd into local_id a warning is given in the form of : error("LocalId is too long"); The error is not trapped and so a segmentation fault occurs at this line: VOID strcpy(local_id, key); I truncated the RCSLOCALID variable to the size of "keylength" with a strlcpy() call. This probably wasn't the best way of handling it? but it does seem to handle the error Ok. example: bash-2.05# export RCSLOCALID=`perl -e 'print "A" x 5000'` bash-2.05# rcs rcs: LocalId is too long Segmentation fault (core dumped) bash-2.05# /usr/src/gnu/usr.bin/rcs/rcs/rcs rcs: LocalId is too long. truncated RCSLOCALID bash-2.05# The problem effects the following binaries: rcs rcsclean rcsdiff rcsmerge and rlog None of the RCS suite is setuid so no privilege escalation occurs. John Johnson. --------------Boundary-00=_FUK211FKIDLZVTFCWHMX Content-Type: text/x-diff; charset="iso-8859-1"; name="rcskeys.patch" Content-Transfer-Encoding: base64 Content-Description: patch for RCSLOCALID overflow Content-Disposition: attachment; filename="rcskeys.patch" LS0tIHJjc2tleXMub3JpZwlUdWUgRmViICA1IDE1OjAyOjQwIDIwMDIKKysrIHJjc2tleXMuYwlU dWUgRmViICA1IDE2OjM3OjA2IDIwMDIKQEAgLTIyLDExICsyMiwxNSBAQAogNTkgVGVtcGxlIFBs YWNlIC0gU3VpdGUgMzMwLCBCb3N0b24sIE1BIDAyMTExLTEzMDcsIFVTQS4KIAogUmVwb3J0IHBy b2JsZW1zIGFuZCBkaXJlY3QgYWxsIHF1ZXN0aW9ucyB0bzoKIAogICAgIHJjcy1idWdzQGNzLnB1 cmR1ZS5lZHUKKyovCiAKKy8qIFJldmlzaW9uIDUuNSAgMjAwMi8wMi8wNiAwMzo0NTo1MCAgampv aG5zb24KKyAqIHByb2JsZW0gd2l0aCBzZXRSQ1NMb2NhbElkIGZ1bmN0aW9uIHdvdWxkIGNhdXNl IHNlZ21lbnRhdGlvbiBmYXVsdAorICogaWYgUkNTTE9DQUxJRCBlbnZpcm9tZW50IHZhcmlhYmxl IHdhcyB0byBsYXJnZS4KICovCiAKIC8qCiAgKiBSZXZpc2lvbiA1LjQgIDE5OTUvMDYvMTYgMDY6 MTk6MjQgIGVnZ2VydAogICogVXBkYXRlIEZTRiBhZGRyZXNzLgpAQCAtMTY0LDEzICsxNjgsMTUg QEAKIAlpbnQgajsKIAogCWNvcHkgPSBzdHJkdXAoc3RyaW5nKTsKIAluZXh0ID0gY29weTsKIAlr ZXkgPSBzdHJ0b2sobmV4dCwgIj0iKTsKLQlpZiAoc3RybGVuKGtleSkgPiBrZXlsZW5ndGgpCi0J CWVycm9yKCJMb2NhbElkIGlzIHRvbyBsb25nIik7Ci0JVk9JRCBzdHJjcHkobG9jYWxfaWQsIGtl eSk7CisJaWYgKHN0cmxlbihrZXkpID4ga2V5bGVuZ3RoKXsKKwkJZXJyb3IoIkxvY2FsSWQgaXMg dG9vIGxvbmcuIHRydW5jYXRlZCBSQ1NMT0NBTElEIik7CisJCXN0cmxjcHkobG9jYWxfaWQsa2V5 LHNpemVvZihrZXlsZW5ndGgpKTsKKwkgICAgICAgIH0KKwlWT0lEIHN0cmxjcHkobG9jYWxfaWQs IGtleSxzaXplb2Yoa2V5bGVuZ3RoKSk7CiAJS2V5d29yZFtMb2NhbElkXSA9IGxvY2FsX2lkOwog CiAJLyogb3B0aW9ucz8gKi8KIAl3aGlsZSAoa2V5ID0gc3RydG9rKE5VTEwsICIsIikpIHsKIAkJ aWYgKCFzdHJjbXAoa2V5LCBLZXl3b3JkW0lkXSkpCg== --------------Boundary-00=_FUK211FKIDLZVTFCWHMX-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message