From owner-freebsd-security  Wed Mar  5 22:26:32 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id WAA20996
          for security-outgoing; Wed, 5 Mar 1997 22:26:32 -0800 (PST)
Received: from rover.village.org (rover.village.org [204.144.255.49])
          by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id WAA20941
          for <freebsd-security@freebsd.org>; Wed, 5 Mar 1997 22:26:22 -0800 (PST)
Received: from rover.village.org [127.0.0.1] 
	by rover.village.org with esmtp (Exim 0.56 #1)
	id E0w2Wct-00032Z-00; Wed, 5 Mar 1997 23:26:03 -0700
To: Bradley Dunn <bradley@dunn.org>
Subject: Re: FreeBSD lpd Security Vulnerability (fwd) 
Cc: Snob Art Genre <ben@narcissus.ml.org>, freebsd-security@freebsd.org
In-reply-to: Your message of "Wed, 05 Mar 1997 18:50:58 EST."
		<Pine.BSF.3.95.970305185009.16059B-100000@ns2.harborcom.net> 
References: <Pine.BSF.3.95.970305185009.16059B-100000@ns2.harborcom.net>  
Date: Wed, 05 Mar 1997 23:26:03 -0700
From: Warner Losh <imp@village.org>
Message-Id: <E0w2Wct-00032Z-00@rover.village.org>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----

In message
<Pine.BSF.3.95.970305185009.16059B-100000@ns2.harborcom.net> Bradley
Dunn writes: 
: On Wed, 5 Mar 1997, Snob Art Genre wrote:
: > Is there a patch for -stable?  The patch included with the advisory
: > wasn't applicable on my system.
: 
: http://freebsd.org/cgi/cvsweb.cgi/src/lib/libc/net/rcmd.c?r1=1.3.4.4&r2=1.3.4.5

Apply the following patch, rebuild libc and install the shared
library.  Since lpd is dynamically linked, this will fix the problem.

Index: rcmd.c
===================================================================
RCS file: /home/imp/FreeBSD/CVS/src/lib/libc/net/rcmd.c,v
retrieving revision 1.3.4.4
retrieving revision 1.3.4.5
diff -u -r1.3.4.4 -r1.3.4.5
- --- rcmd.c	1997/02/09 06:57:54	1.3.4.4
+++ rcmd.c	1997/02/26 06:14:11	1.3.4.5
@@ -377,7 +377,8 @@
 	if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long),
 							AF_INET)) == NULL)
 		return (-1);
- -	strcpy(hname, hp->h_name);
+	strncpy(hname, hp->h_name, sizeof(hname));
+	hname[sizeof(hname) - 1] = '\0';
 
 	while (fgets(buf, sizeof(buf), hostf)) {
 		p = buf;



Warner

P.S. since I'm pgp signing this, saying "sed -e 's/^- //'" now might
save me some mail later.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBMx5jc9xynu/2qPVhAQEzWgQAnKsS8iVWiaFHp5FYcB/wK6/nJLjVy+WD
Z9thkQpeLLO3+MO/B4S2rHBn9gxAXWgxl+43d1irrEMk21bQkNQsr1yAwTS/sujP
1Tf5J9sAydF/vy+uAUjFKmsrSqc2q0ykz8G3zk1ila/ykR8GHH4t+e74y4oSvHB6
XS89DGLDzEE=
=U0q7
-----END PGP SIGNATURE-----