From owner-freebsd-security Tue Sep 21 4:31:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from wank.necropolis.org (wank.necropolis.org [207.246.128.93]) by hub.freebsd.org (Postfix) with ESMTP id 4DA3A14CF1 for ; Tue, 21 Sep 1999 04:31:11 -0700 (PDT) (envelope-from todd@flyingcroc.net) Received: from localhost (todd@localhost) by wank.necropolis.org (8.9.3/8.9.3) with ESMTP id EAA63149 for ; Tue, 21 Sep 1999 04:34:13 -0700 (PDT) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: wank.necropolis.org: todd owned process doing -bs Date: Tue, 21 Sep 1999 04:34:13 -0700 (PDT) From: Todd Backman X-Sender: todd@wank.necropolis.org To: freebsd-security@freebsd.org Subject: FreeBSD Security Advisory: FreeBSD-SA-99:06.amd (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Would someone be so kind as to tell me how to patch amd for this exploit? I that since the staement said "patches" that there are two here. I attempted to: patch < amdpatch1 in /usr/sbin/ (after backing up amd of course) with errors and patch < amdpatch2 in /usr/sbin/ with errors. Am I patching the correct file? Does the patch start at the "Index" line or the "/*" line? Sorry for the bother and thanks in advance. - Todd ***amdpatch1*** Index: xutil.c =================================================================== RCS file: /home/ncvs/src/contrib/amd/libamu/xutil.c,v retrieving revision 1.1.1.3 retrieving revision 1.1.1.3.2.1 diff -u -r1.1.1.3 -r1.1.1.3.2.1 --- xutil.c 1999/01/13 19:20:33 1.1.1.3 +++ xutil.c 1999/08/25 18:59:39 1.1.1.3.2.1 @@ -272,16 +272,18 @@ /* * Take a log format string and expand occurrences of %m - * with the current error code taken from errno. + * with the current error code taken from errno. Make sure + * 'e' never gets longer than maxlen characters. */ static void -expand_error(char *f, char *e) +expand_error(char *f, char *e, int maxlen) { extern int sys_nerr; - char *p; + char *p, *q; int error = errno; + int len = 0; - for (p = f; (*e = *p); e++, p++) { + for (p = f, q = e; (*q = *p) && len < maxlen; len++, q++, p++) { if (p[0] == '%' && p[1] == 'm') { const char *errstr; if (error < 0 || error >= sys_nerr) @@ -289,13 +291,15 @@ else errstr = sys_errlist[error]; if (errstr) - strcpy(e, errstr); + strcpy(q, errstr); else - sprintf(e, "Error %d", error); - e += strlen(e) - 1; + sprintf(q, "Error %d", error); + len += strlen(q) - 1; + q += strlen(q) - 1; p++; } } + e[maxlen-1] = '\0'; /* null terminate, to be sure */ } @@ -401,9 +405,15 @@ checkup_mem(); #endif /* DEBUG_MEM */ - expand_error(fmt, efmt); + expand_error(fmt, efmt, 1024); + /* + * XXX: ptr is 1024 bytes long. It is possible to write into it + * more than 1024 bytes, if efmt is already large, and vargs expand + * as well. + */ vsprintf(ptr, efmt, vargs); + msg[1023] = '\0'; /* null terminate, to be sure */ ptr += strlen(ptr); if (ptr[-1] == '\n') ***amdpatch2*** Index: amq_subr.c =================================================================== RCS file: /home/imp/FreeBSD/CVS/src/contrib/amd/amd/amq_subr.c,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- amq_subr.c 1999/01/13 20:03:54 1.3 +++ amq_subr.c 1999/09/07 23:07:03 1.4 @@ -204,11 +204,24 @@ int * amqproc_mount_1_svc(voidp argp, struct svc_req *rqstp) { - static int rc; - char *s = *(amq_string *) argp; + static int rc = EINVAL; + char s[AMQ_STRLEN]; char *cp; + char dq[20]; + struct sockaddr_in *sin; + + if ((sin = amu_svc_getcaller(rqstp->rq_xprt)) == NULL) { + plog(XLOG_ERROR, "amu_svc_getcaller returned NULL"); + return &rc; + } + + strncpy(s, *(amq_string *) argp, AMQ_STRLEN-1); + s[AMQ_STRLEN-1] = '\0'; /* null terminate, to be sure */ + plog(XLOG_ERROR, + "amq requested mount of %s from %s.%d", + s, inet_dquad(dq, sin->sin_addr.s_addr), + ntohs(sin->sin_port)); - plog(XLOG_INFO, "amq requested mount of %s", s); /* * Minimalist security check. */ ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org Security notifications: security-notifications@freebsd.org Security public discussion: freebsd-security@freebsd.org PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBN+aDyFUuHi5z0oilAQHyLQP/fohJFzI6h9g8ApbdjQJNu+sunEd7cehd IWuvFWuiTzRRqfj7tc9+Y7FEleFKv66WM98k9zBHzU8ZVzCQ5jlf1CcM1DegEqKc i8j71gpoKFQyrxsW3AdR2UESnUxYw8bDvimuVHyCVSvjrpvZ+5b5wXMqbvDNMo5I UgTaLUhzQEg= =0ohw -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message