Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 07 Dec 1999 12:46:18 -0700
From:      tstromberg@rtci.com
To:        freebsd-audit@freebsd.org
Subject:   FW: Buffer overflows
Message-ID:  <84714733.944601517508.JavaMail.chenresig@karma>

next in thread | raw e-mail | index | archive | help
This was sent to me by Theo DeRaadt (everyone on this list should be familiar with him). I thought you guys might be interested since we seem to be helping each other quite a bit. We may want to integrate several of their programs as we see here, or at least apply similar fixes if need be.

On a side note, I managed to accidentally trash all of my testing data by removing the wrong directory, but at least it's forced me to rewrite some large portions of the testing code. I've added (and fixed) several more tests, and found an interim solutions to all of the lovely zombies I've been getting. Hopefully the zombie fixes will mean less reboots for me in -CURRENT.

I guess this means I get to re-run through all of the binaries, this time however I'll have simultaneous testing with -CURRENT, two -STABLE machines, Solaris 7. Right now I've got one of our admins installing an OpenBSD 2.6 system for tests as well.


Hi Thomas.

Referencing:
    http://docs.freebsd.org/cgi/getmsg.cgi?fetch=41804+0+current/freebsd-audit

--------------------

07DEC99 /usr/sbin/fsinfo        fsinfo -D [3000]
07DEC99 /usr/bin/tconv          set $TERMCAP to [2000], tconv -D blah

    These are not in openbsd.

07DEC99 /usr/libexec/f771       stdin overflow, echo [2000] | f771 -G

    OpenBSD f77 does not show this bug; we use the brand new gcc
    2.95.1 codebase.

07DEC99 /usr/bin/rs             stdin overflow, echo [1000] | rs (handled)

    revision 1.2
    date: 1996/05/21 21:37:11;  author: deraadt;  state: Exp;  lines: +46 -45
    avoid divide-by-zero trap when specifying small widths
    do not overrun entry array when printing output tables
    cleanup storage allocation for entries
    use err/warn etc.

07DEC99 /usr/libexec/getty      stdin overflow, echo [2000] | getty -x

    Just fixed.

    revision 1.13
    date: 1999/12/07 19:24:27;  author: deraadt;  state: Exp;  lines: +7 -5
    do not crash if stdin is not a tty

07DEC99 /usr/libexec/elf/as     as [65000]
07DEC99 /usr/libexec/aout/as    as [65000]

Cannot reproduce.

07DEC99 /usr/bin/rpcgen         rpcgen -Y [8192] 

    revision 1.4
    date: 1999/12/04 21:58:31;  author: deraadt;  state: Exp;  lines: +6 -5
    oflow

    Note the date very carefully.  That's what I call 'proactive'

07DEC99 /usr/bin/jot            jot -w [8192] (all args)

    revision 1.4
    date: 1999/12/04 21:28:34;  author: deraadt;  state: Exp;  lines: +8 -4
    more oflows

    Again, note the date.

07DEC99 /usr/bin/indent         set $HOME to [8192]

    revision 1.3
    date: 1996/10/28 00:36:23;  author: millert;  state: Exp;  lines: +7 -2
    Safe $HOME usage.

03DEC99 /usr/bin/error          error -I [16384]

    revision 1.5
    date: 1999/12/04 00:16:52;  author: deraadt;  state: Exp;  lines: +11 -9
    avoid overflows

03DEC99 /usr/bin/fsplit         fsplit -e [16384]

    We have not fixed the 10 problems in fsplit yet.  We may just remove
    it, since noone uses it.

03DEC99 /usr/bin/grops          grops -c blah [16384]

    Not fixed yet.

03DEC99 /usr/bin/patch          patch -r [16384]

    patch.c:
    ----------------------------
    revision 1.13
    date: 1999/12/04 01:01:06;  author: provos;  state: Exp;  lines: +9 -5
    avoid overflows
    
    util.c
    revision 1.9
    date: 1999/12/04 21:00:03;  author: provos;  state: Exp;  lines: +19 -40
    a few more overflows gone
    ----------------------------
    revision 1.8
    date: 1999/12/04 01:04:14;  author: provos;  state: Exp;  lines: +3 -3
    revert strlcpy to strcpy for one case.
    ----------------------------
    revision 1.7
    date: 1999/12/04 01:01:07;  author: provos;  state: Exp;  lines: +12 -9
    avoid overflows
    
    pch.c
    revision 1.10
    date: 1999/12/04 01:01:07;  author: provos;  state: Exp;  lines: +7 -7
    avoid overflows
    ----------------------------
    
03DEC99 /usr/bin/pr+            pr -s [16384]

    date: 1999/12/03 23:43:02;  author: deraadt;  state: Exp;  lines: +8 -7
    the -s option was broken; spotted by tstromberg@rtci.com on freebsd-audit,
    but i have not seen them fix any of the bugs

    That one includes a little bit of realistic commentary.

03DEC99 /usr/bin/ypcat+         ypcat -d [16384] blah   <libc!> 

    This bug was fixed almost 4 years ago.

03DEC99 /usr/libexec/aout/as    stdin overflow, echo [16384] | as -I

    This bug still exists.

30NOV99 /usr/bin/awk            awk -f [8192]

    We use a different awk; the true Kernighan version.
    That said, we found other bugs and fixed them:

    revision 1.8
    date: 1999/12/04 00:12:25;  author: millert;  state: Exp;  lines: +6 -2
    Fix 2 core dumps:
    1) give an error if the user specifies > 20 -f options instead of oflowing
    2) use snprintf in the ERROR macro to avoid an oflow

30NOV99 /usr/bin/ee             set $NLSPATH to [32769]
30NOV99 /usr/bin/doscmd         doscmd [4000]

    Not in OpenBSD.

30NOV99 /usr/bin/dnsquery       dnsquery [4000]

    revision 1.4
    date: 1999/12/04 00:22:34;  author: deraadt;  state: Exp;  lines: +15 -4
    avoid overflow

30NOV99 /usr/bin/dig            dig -k [16000]

    This is a disaster.  We've not fixed it yet.

30NOV99 /usr/bin/crunchgen      crunchgen [8192]

    revision 1.15
    date: 1999/12/06 01:47:58;  author: deraadt;  state: Exp;  lines: +46 -16
    oflow fixes; provos

30NOV99 /usr/bin/colldef        colldef -I [8192]

    Not in OpenBSD.

30NOV99 /usr/bin/captoinfo      set $TERMCAP to [32769]

    Not reproduceable.  We use brand new ncurses.

30NOV99 /usr/bin/banner+        banner [8192]           

    Must have been a bug introduced by FreeBSD.

30NOV99 /usr/bin/as             as [8192]

    Not reproduceable.

30NOV99 /usr/bin/apply          startslip -d [8192] -c [8192]

    revision 1.6
    date: 1999/12/03 23:55:18;  author: deraadt;  state: Exp;  lines: +3 -3
    off by one for string length calculation

    Note that FreeBSD has the same fix, but this patch went out a few hours
    before it was fixed in FreeBSD....

30NOV99 /usr/bin/Mail           set $HOME to [32769]

    revision 1.4
    date: 1996/10/28 00:42:21;  author: millert;  state: Exp;  lines: +3 -3
    Ignore $HOME if > MAXPATHLEN

30NOV99 /sbin/startslip         startslip -d [8192] -c [8192]
30NOV99 /sbin/natd              natd -w [16384] blah

    Not in OpenBSD.

30NOV99 /sbin/mount_mfs         mount_mfs [8192] [8192]

    Bug not in OpenBSD.

30NOV99 /sbin/dhclient          dhclient [40000]

    revision 1.7
    date: 1999/12/04 00:15:09;  author: angelos;  state: Exp;  lines: +2 -2
    Careful with long, command-line provided interface names.

30NOV99 /bin/red                red [40000]
30NOV99 /bin/ed                 ed [40000]

    revision 1.14
    date: 1998/05/18 20:36:14;  author: deraadt;  state: Exp;  lines: +27 -13
    buf oflows

15NOV99 /usr/bin/systat*        race condition with bad exit

    I have never seen that bug.  I do know of another two bugs in systat,
    not security related, but have not managed to reproduce them.

10NOV99 /sbin/rdump*+           dump -0 [1024]  <libc!>         
10NOV99 /sbin/dump*+            dump -0 [1024]  <libc!>         

    Numerous fixes over the years for buffer overflows, including:

revision 1.25
date: 1998/11/24 01:25:47;  author: deraadt;  state: Exp;  lines: +2 -2
Wall, and do not let tapesize overflow
--------------------
revision 1.21
date: 1998/08/07 17:29:25;  author: millert;  state: Exp;  lines: +23 -23
Use strlcpy() instead of strncpy().
Change the order of name -> raw device conversions
    1) statfs the name and use that info iff the name is the mount point
    2) look up name in fstab
    3) treat as a device
The reason for this is that the mounted filesystems may not agree with
what fstab says.  Anyone who has ever moved disks around and accidentally
dumped and empty filesystem will know what I mean.
--------------------
revision 1.9
date: 1996/09/14 03:26:02;  author: millert;  state: Exp;  lines: +1 -2
Now uses "wall -g" so no need to be setgid tty.  This makes $RSH work.
Also fix buf oflow.
----
revision 1.5
date: 1996/08/02 10:26:48;  author: deraadt;  state: Exp;  lines: +3 -3
mostly harmless buffer overflow


I grant you permission to re-post this to the freebsd mailing lists.  I don't
post there, but you may repost this, if it helps your cause.

If there is any doubt as to what the freebsd-audit project is, and how
freebsd deals with code quality concerns, this should be it.

But moreso, it says who OpenBSD is.  OpenBSD people -- we've got a few more
bugs to squish.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?84714733.944601517508.JavaMail.chenresig>