From owner-freebsd-security  Sun Nov  1 15:42:18 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA26656
          for freebsd-security-outgoing; Sun, 1 Nov 1998 15:42:18 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from sasami.jurai.net (sasami.jurai.net [207.153.65.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA26651
          for <freebsd-security@freebsd.org>; Sun, 1 Nov 1998 15:42:17 -0800 (PST)
          (envelope-from winter@jurai.net)
Received: from localhost (winter@localhost)
	by sasami.jurai.net (8.8.8/8.8.7) with SMTP id SAA10824
	for <freebsd-security@freebsd.org>; Sun, 1 Nov 1998 18:42:14 -0500 (EST)
Date: Sun, 1 Nov 1998 18:42:13 -0500 (EST)
From: "Matthew N. Dodd" <winter@jurai.net>
To: freebsd-security@FreeBSD.ORG
Subject: SSH vsprintf patch. (You've been warned Mr. Glass)
Message-ID: <Pine.BSF.4.02.9811011839140.17054-200000@sasami.jurai.net>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="0-283913581-909963733=:17054"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--0-283913581-909963733=:17054
Content-Type: TEXT/PLAIN; charset=US-ASCII


Look for details on this tomorrow but here is a patch that addresses the
vsprintf calls in ssh 1.2.26.

--- log-server.c.orig	Sun Nov  1 18:21:57 1998
+++ log-server.c	Sun Nov  1 18:20:39 1998
@@ -134,7 +134,7 @@
   if (log_quiet)
     return;
   va_start(args, fmt);
-  vsprintf(buf, fmt, args);
+  vsnprintf(buf, sizeof(buf), fmt, args);
   va_end(args);
   if (log_on_stderr)
     fprintf(stderr, "log: %s\n", buf);
@@ -175,7 +175,7 @@
   if (log_quiet)
     return;
   va_start(args, fmt);
-  vsprintf(buf, fmt, args);
+  vsnprintf(buf, sizeof(buf), fmt, args);
   va_end(args);
   if (log_on_stderr)
     fprintf(stderr, "log: %s\n", buf);
@@ -191,7 +191,7 @@
   if (!log_debug || log_quiet)
     return;
   va_start(args, fmt);
-  vsprintf(buf, fmt, args);
+  vsnprintf(buf, sizeof(buf), fmt, args);
   va_end(args);
   if (log_on_stderr)
     fprintf(stderr, "debug: %s\n", buf);
@@ -207,7 +207,7 @@
   if (log_quiet)
     return;
   va_start(args, fmt);
-  vsprintf(buf, fmt, args);
+  vsnprintf(buf, sizeof(buf), fmt, args);
   va_end(args);
   if (log_on_stderr)
     fprintf(stderr, "error: %s\n", buf);
@@ -302,7 +302,7 @@
   if (log_quiet)
     exit(1);
   va_start(args, fmt);
-  vsprintf(buf, fmt, args);
+  vsnprintf(buf, sizeof(buf), fmt, args);
   va_end(args);
   if (log_on_stderr)
     fprintf(stderr, "fatal: %s\n", buf);
@@ -321,7 +321,7 @@
   if (log_quiet)
     exit(1);
   va_start(args, fmt);
-  vsprintf(buf, fmt, args);
+  vsnprintf(buf, sizeof(buf), fmt, args);
   va_end(args);
   if (log_on_stderr)
     fprintf(stderr, "fatal: %s\n", buf);
--- packet.c.orig	Sun Nov  1 18:16:33 1998
+++ packet.c	Sun Nov  1 18:25:11 1998
@@ -693,7 +693,7 @@
   va_list args;
   
   va_start(args, fmt);
-  vsprintf(buf, fmt, args);
+  vsnprintf(buf, sizeof(buf), fmt, args);
   va_end(args);
   
   packet_start(SSH_MSG_DEBUG);
@@ -719,7 +719,7 @@
   /* Format the message.  Note that the caller must make sure the message
      is of limited size. */
   va_start(args, fmt);
-  vsprintf(buf, fmt, args);
+  vsnprintf(buf, sizeof(buf), fmt, args);
   va_end(args);
 
   /* Send the disconnect message to the other side, and wait for it to get 
--- scp.c.orig	Sun Nov  1 18:16:41 1998
+++ scp.c	Sun Nov  1 18:25:56 1998
@@ -332,7 +332,7 @@
   char buf[1024];
 
   va_start(ap, fmt);
-  vsprintf(buf, fmt, ap);
+  vsnprintf(buf, sizeof(buf), fmt, ap);
   va_end(ap);
   fprintf(stderr, "%s\n", buf);
   exit(255);

-- 
| Matthew N. Dodd  | 78 280Z | 75 164E | 84 245DL | FreeBSD/NetBSD/Sprite/VMS |
| winter@jurai.net |      This Space For Rent     | ix86,sparc,m68k,pmax,vax  |
| http://www.jurai.net/~winter | Are you k-rad elite enough for my webpage?   |

--0-283913581-909963733=:17054
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="vsprintf.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.BSF.4.02.9811011842130.17054@sasami.jurai.net>
Content-Description: 
Content-Disposition: attachment; filename="vsprintf.patch"

LS0tIGxvZy1zZXJ2ZXIuYy5vcmlnCVN1biBOb3YgIDEgMTg6MjE6NTcgMTk5
OA0KKysrIGxvZy1zZXJ2ZXIuYwlTdW4gTm92ICAxIDE4OjIwOjM5IDE5OTgN
CkBAIC0xMzQsNyArMTM0LDcgQEANCiAgIGlmIChsb2dfcXVpZXQpDQogICAg
IHJldHVybjsNCiAgIHZhX3N0YXJ0KGFyZ3MsIGZtdCk7DQotICB2c3ByaW50
ZihidWYsIGZtdCwgYXJncyk7DQorICB2c25wcmludGYoYnVmLCBzaXplb2Yo
YnVmKSwgZm10LCBhcmdzKTsNCiAgIHZhX2VuZChhcmdzKTsNCiAgIGlmIChs
b2dfb25fc3RkZXJyKQ0KICAgICBmcHJpbnRmKHN0ZGVyciwgImxvZzogJXNc
biIsIGJ1Zik7DQpAQCAtMTc1LDcgKzE3NSw3IEBADQogICBpZiAobG9nX3F1
aWV0KQ0KICAgICByZXR1cm47DQogICB2YV9zdGFydChhcmdzLCBmbXQpOw0K
LSAgdnNwcmludGYoYnVmLCBmbXQsIGFyZ3MpOw0KKyAgdnNucHJpbnRmKGJ1
Ziwgc2l6ZW9mKGJ1ZiksIGZtdCwgYXJncyk7DQogICB2YV9lbmQoYXJncyk7
DQogICBpZiAobG9nX29uX3N0ZGVycikNCiAgICAgZnByaW50ZihzdGRlcnIs
ICJsb2c6ICVzXG4iLCBidWYpOw0KQEAgLTE5MSw3ICsxOTEsNyBAQA0KICAg
aWYgKCFsb2dfZGVidWcgfHwgbG9nX3F1aWV0KQ0KICAgICByZXR1cm47DQog
ICB2YV9zdGFydChhcmdzLCBmbXQpOw0KLSAgdnNwcmludGYoYnVmLCBmbXQs
IGFyZ3MpOw0KKyAgdnNucHJpbnRmKGJ1Ziwgc2l6ZW9mKGJ1ZiksIGZtdCwg
YXJncyk7DQogICB2YV9lbmQoYXJncyk7DQogICBpZiAobG9nX29uX3N0ZGVy
cikNCiAgICAgZnByaW50ZihzdGRlcnIsICJkZWJ1ZzogJXNcbiIsIGJ1Zik7
DQpAQCAtMjA3LDcgKzIwNyw3IEBADQogICBpZiAobG9nX3F1aWV0KQ0KICAg
ICByZXR1cm47DQogICB2YV9zdGFydChhcmdzLCBmbXQpOw0KLSAgdnNwcmlu
dGYoYnVmLCBmbXQsIGFyZ3MpOw0KKyAgdnNucHJpbnRmKGJ1Ziwgc2l6ZW9m
KGJ1ZiksIGZtdCwgYXJncyk7DQogICB2YV9lbmQoYXJncyk7DQogICBpZiAo
bG9nX29uX3N0ZGVycikNCiAgICAgZnByaW50ZihzdGRlcnIsICJlcnJvcjog
JXNcbiIsIGJ1Zik7DQpAQCAtMzAyLDcgKzMwMiw3IEBADQogICBpZiAobG9n
X3F1aWV0KQ0KICAgICBleGl0KDEpOw0KICAgdmFfc3RhcnQoYXJncywgZm10
KTsNCi0gIHZzcHJpbnRmKGJ1ZiwgZm10LCBhcmdzKTsNCisgIHZzbnByaW50
ZihidWYsIHNpemVvZihidWYpLCBmbXQsIGFyZ3MpOw0KICAgdmFfZW5kKGFy
Z3MpOw0KICAgaWYgKGxvZ19vbl9zdGRlcnIpDQogICAgIGZwcmludGYoc3Rk
ZXJyLCAiZmF0YWw6ICVzXG4iLCBidWYpOw0KQEAgLTMyMSw3ICszMjEsNyBA
QA0KICAgaWYgKGxvZ19xdWlldCkNCiAgICAgZXhpdCgxKTsNCiAgIHZhX3N0
YXJ0KGFyZ3MsIGZtdCk7DQotICB2c3ByaW50ZihidWYsIGZtdCwgYXJncyk7
DQorICB2c25wcmludGYoYnVmLCBzaXplb2YoYnVmKSwgZm10LCBhcmdzKTsN
CiAgIHZhX2VuZChhcmdzKTsNCiAgIGlmIChsb2dfb25fc3RkZXJyKQ0KICAg
ICBmcHJpbnRmKHN0ZGVyciwgImZhdGFsOiAlc1xuIiwgYnVmKTsNCi0tLSBw
YWNrZXQuYy5vcmlnCVN1biBOb3YgIDEgMTg6MTY6MzMgMTk5OA0KKysrIHBh
Y2tldC5jCVN1biBOb3YgIDEgMTg6MjU6MTEgMTk5OA0KQEAgLTY5Myw3ICs2
OTMsNyBAQA0KICAgdmFfbGlzdCBhcmdzOw0KICAgDQogICB2YV9zdGFydChh
cmdzLCBmbXQpOw0KLSAgdnNwcmludGYoYnVmLCBmbXQsIGFyZ3MpOw0KKyAg
dnNucHJpbnRmKGJ1Ziwgc2l6ZW9mKGJ1ZiksIGZtdCwgYXJncyk7DQogICB2
YV9lbmQoYXJncyk7DQogICANCiAgIHBhY2tldF9zdGFydChTU0hfTVNHX0RF
QlVHKTsNCkBAIC03MTksNyArNzE5LDcgQEANCiAgIC8qIEZvcm1hdCB0aGUg
bWVzc2FnZS4gIE5vdGUgdGhhdCB0aGUgY2FsbGVyIG11c3QgbWFrZSBzdXJl
IHRoZSBtZXNzYWdlDQogICAgICBpcyBvZiBsaW1pdGVkIHNpemUuICovDQog
ICB2YV9zdGFydChhcmdzLCBmbXQpOw0KLSAgdnNwcmludGYoYnVmLCBmbXQs
IGFyZ3MpOw0KKyAgdnNucHJpbnRmKGJ1Ziwgc2l6ZW9mKGJ1ZiksIGZtdCwg
YXJncyk7DQogICB2YV9lbmQoYXJncyk7DQogDQogICAvKiBTZW5kIHRoZSBk
aXNjb25uZWN0IG1lc3NhZ2UgdG8gdGhlIG90aGVyIHNpZGUsIGFuZCB3YWl0
IGZvciBpdCB0byBnZXQgDQotLS0gc2NwLmMub3JpZwlTdW4gTm92ICAxIDE4
OjE2OjQxIDE5OTgNCisrKyBzY3AuYwlTdW4gTm92ICAxIDE4OjI1OjU2IDE5
OTgNCkBAIC0zMzIsNyArMzMyLDcgQEANCiAgIGNoYXIgYnVmWzEwMjRdOw0K
IA0KICAgdmFfc3RhcnQoYXAsIGZtdCk7DQotICB2c3ByaW50ZihidWYsIGZt
dCwgYXApOw0KKyAgdnNucHJpbnRmKGJ1Ziwgc2l6ZW9mKGJ1ZiksIGZtdCwg
YXApOw0KICAgdmFfZW5kKGFwKTsNCiAgIGZwcmludGYoc3RkZXJyLCAiJXNc
biIsIGJ1Zik7DQogICBleGl0KDI1NSk7DQo=
--0-283913581-909963733=:17054--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message