From owner-freebsd-security Tue Mar 11 10:24:30 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6F5D37B401 for ; Tue, 11 Mar 2003 10:24:26 -0800 (PST) Received: from pol.dyndns.org (pol.net1.nerim.net [80.65.225.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E17743FCB for ; Tue, 11 Mar 2003 10:24:25 -0800 (PST) (envelope-from guy@device.dyndns.org) Received: from oemcomputer.device.dyndns.org (partserver.pol.local [172.16.10.10]) by pol.dyndns.org (8.12.6/8.12.6) with ESMTP id h2BIO7M4004610 for ; Tue, 11 Mar 2003 19:24:10 +0100 (CET) Message-Id: <5.1.1.6.0.20030311190645.02f316c8@device.dyndns.org> X-Sender: guy@device.dyndns.org X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Tue, 11 Mar 2003 19:24:03 +0100 To: From: "Guy P." Subject: Re: Prov. patch for the file hole ISS disclosed In-Reply-To: <20030311115215.1628a67b.nospam@hiltonbsd.com> References: <20030311174126.GA57179@madman.celabo.org> <200303061415.h26EFlhD004317@device.dyndns.org> <200303061415.h26EFlhD004317@device.dyndns.org> <5.2.0.9.2.20030311113159.0386fea0@localhost> <20030311174126.GA57179@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 18:52 11/03/2003, Stephen Hilton wrote: >I am getting ready to do a buildworld today on 4.8-RC and can >test a patch if available. Does the patch provided by: > >Guy Poizat > >Appear correct ? After investigating what the file utility mainteners used in their fixed release, i'd suggest using the following patch instead, which looks more respectful regarding the original code to my eyes : --------------------------------------------------------------- --- src/contrib/file/readelf.c Sun Nov 26 22:37:21 2000 +++ src/contrib/file/readelf.c.patched Mon Mar 10 15:30:59 2003 @@ -104,6 +104,9 @@ #define shs_type (class == ELFCLASS32 \ ? getu32(swap, sh32.sh_type) \ : getu32(swap, sh64.sh_type)) +#define sh_size (class == ELFCLASS32 \ + ? sizeof sh32 \ + : sizeof sh64) #define ph_addr (class == ELFCLASS32 \ ? (void *) &ph32 \ : (void *) &ph64) @@ -141,11 +144,14 @@ Elf32_Shdr sh32; Elf64_Shdr sh64; + if (size != sh_size) + error("corrupted section header size.\n"); + if (lseek(fd, off, SEEK_SET) == -1) error("lseek failed (%s).\n", strerror(errno)); for ( ; num; num--) { - if (read(fd, sh_addr, size) == -1) + if (read(fd, sh_addr, sh_size) == -1) error("read failed (%s).\n", strerror(errno)); if (shs_type == SHT_SYMTAB /* || shs_type == SHT_DYNSYM */) { (void) printf (", not stripped"); --------------------------------------------------------------- Forgive my terrible english... -- Guy P. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message