From owner-freebsd-bugs  Wed Dec  9 05:20:02 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id FAA14472
          for freebsd-bugs-outgoing; Wed, 9 Dec 1998 05:20:02 -0800 (PST)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA14415
          for <freebsd-bugs@FreeBSD.org>; Wed, 9 Dec 1998 05:20:00 -0800 (PST)
          (envelope-from gnats@FreeBSD.org)
Received: (from Unknown UID 563@localhost)
	by freefall.freebsd.org (8.8.8/8.8.5) id FAA05124;
	Wed, 9 Dec 1998 05:20:01 -0800 (PST)
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA13309
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 9 Dec 1998 05:10:53 -0800 (PST)
          (envelope-from Cy.Schubert@uumail.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.9.1/8.8.8) id FAA06003
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 9 Dec 1998 05:10:43 -0800
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda06001; Wed Dec  9 05:10:29 1998
Received: (from cschuber@localhost)
	by passer.osg.gov.bc.ca (8.9.1/8.9.1) id FAA09756;
	Wed, 9 Dec 1998 05:10:28 -0800 (PST)
Message-Id: <199812091310.FAA09756@passer.osg.gov.bc.ca>
Date: Wed, 9 Dec 1998 05:10:28 -0800 (PST)
From: Cy Schubert <Cy.Schubert@uumail.gov.bc.ca>
Reply-To: cschuber@uumail.gov.bc.ca
To: FreeBSD-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: 3.2
Subject: bin/9031: bootpd.c buffer overrun
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         9031
>Category:       bin
>Synopsis:       OpenBSD fix to bootpd remote root exploit
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec  9 05:20:01 PST 1998
>Last-Modified:
>Originator:     Cy Schubert
>Organization:
ITSD, Province of BC
>Release:        FreeBSD 2.2.8-RELEASE i386
>Environment:

	FreeBSD passer.osg.gov.bc.ca 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE #0: Thu Dec  3 08:25:32 PST 1998     root@passer.osg.gov.bc.ca:/opt/usr_src-228/src/sys/compile/PASSER  i386

	Supplied patch will apply cleanly to 3.0 tree.

>Description:

	Buffer overrun condition in bootpd.c can be remotely exploited
	to obtain unauthorized root privilege.

>How-To-Repeat:

	Exploit code unavailable to me.

>Fix:
	
	The following patch will apply cleanly to 2.2 and 3.0 CVS trees.
	Thanks to Theo de Raadt for creating the OpenBSD patch, which
	this patch is based on.

	--- /usr/src/libexec/bootpd/bootpd.c	Sat Jul 18 23:52:58 1998
	+++ /tmp/bootpd.c	Wed Dec  9 04:56:55 1998
	@@ -833,7 +833,8 @@
	 	 * daemon chroot directory (i.e. /tftpboot).
	 	 */
	 	if (hp->flags.tftpdir) {
	-		strcpy(realpath, hp->tftpdir->string);
	+		strncpy(realpath, hp->tftpdir->string,sizeofr(realpath-1));
	+		realpath[sizeof(realpath-1)] = '\0';
	 		clntpath = &realpath[strlen(realpath)];
	 	} else {
	 		realpath[0] = '\0';

>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message