From owner-freebsd-security Fri Aug 27 8:51: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 7E0071530C for ; Fri, 27 Aug 1999 08:51:05 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Fri, 27 Aug 1999 09:51:04 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma028942; Fri, 27 Aug 99 09:50:43 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id JAA08996; Fri, 27 Aug 1999 09:49:50 -0600 (MDT) Date: Fri, 27 Aug 1999 09:49:50 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: freebsd-security@FreeBSD.ORG Subject: Re: Buffer overflow in vixie cron? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 26 Aug 1999, Paul Hart wrote: > Our code already uses snprintf when using the MAILTO value, but the > original Vixie cron used sprintf without length checks in both version > 3.0 and 3.0.1. I'm assuming that's where the hole was. I take that back. On closer inspection, the Red Hat patch fixes an overflow in cron_popen() in the for loop where the command string is broken down into tokens to make an argv[] array. In the original version, Vixie cron does not keep track of how many tokens it has extracted from the command string and it looks like it will happily overwrite past the end of the stack buffer where it keeps the array it's making. Again, cron in FreeBSD appears to have already fixed this hole (yay!) but the hole appears not to have been as obvious as a string overflow. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message