From owner-freebsd-audit Tue Dec 7 13:18:53 1999 Delivered-To: freebsd-audit@freebsd.org Received: from barracuda.aquarium.rtci.com (barracuda.aquarium.rtci.com [208.11.247.5]) by hub.freebsd.org (Postfix) with ESMTP id 20EBD14E8B for ; Tue, 7 Dec 1999 13:18:44 -0800 (PST) (envelope-from tstromberg@rtci.com) Received: from karma (karma.afterthought.org [208.11.244.6]) by barracuda.aquarium.rtci.com (8.9.3+Sun/8.9.3) with SMTP id QAA17319 for ; Tue, 7 Dec 1999 16:18:43 -0500 (EST) Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by barracuda.aquarium.rtci.com (8.9.3+Sun/8.9.3) with ESMTP id OAA14286 for ; Tue, 7 Dec 1999 14:46:41 -0500 (EST) Received: from cvs.openbsd.org (IDENT:deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.9.3/8.9.1) with ESMTP id MAA18862; Tue, 7 Dec 1999 12:46:18 -0700 (MST) Message-ID: <84714733.944601517508.JavaMail.chenresig@karma> Date: Tue, 07 Dec 1999 12:46:18 -0700 From: tstromberg@rtci.com To: freebsd-audit@freebsd.org Subject: FW: Buffer overflows Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Scanned-By: AntiMail $Revision: 1.57 $ by Thomas Stromberg [RTCI] X-Mailer: ICEMail (rel 2.8.2) Organization: Research Triangle Commerce, Inc. Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This was sent to me by Theo DeRaadt (everyone on this list should be familiar with him). I thought you guys might be interested since we seem to be helping each other quite a bit. We may want to integrate several of their programs as we see here, or at least apply similar fixes if need be. On a side note, I managed to accidentally trash all of my testing data by removing the wrong directory, but at least it's forced me to rewrite some large portions of the testing code. I've added (and fixed) several more tests, and found an interim solutions to all of the lovely zombies I've been getting. Hopefully the zombie fixes will mean less reboots for me in -CURRENT. I guess this means I get to re-run through all of the binaries, this time however I'll have simultaneous testing with -CURRENT, two -STABLE machines, Solaris 7. Right now I've got one of our admins installing an OpenBSD 2.6 system for tests as well. Hi Thomas. Referencing: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=41804+0+current/freebsd-audit -------------------- 07DEC99 /usr/sbin/fsinfo fsinfo -D [3000] 07DEC99 /usr/bin/tconv set $TERMCAP to [2000], tconv -D blah These are not in openbsd. 07DEC99 /usr/libexec/f771 stdin overflow, echo [2000] | f771 -G OpenBSD f77 does not show this bug; we use the brand new gcc 2.95.1 codebase. 07DEC99 /usr/bin/rs stdin overflow, echo [1000] | rs (handled) revision 1.2 date: 1996/05/21 21:37:11; author: deraadt; state: Exp; lines: +46 -45 avoid divide-by-zero trap when specifying small widths do not overrun entry array when printing output tables cleanup storage allocation for entries use err/warn etc. 07DEC99 /usr/libexec/getty stdin overflow, echo [2000] | getty -x Just fixed. revision 1.13 date: 1999/12/07 19:24:27; author: deraadt; state: Exp; lines: +7 -5 do not crash if stdin is not a tty 07DEC99 /usr/libexec/elf/as as [65000] 07DEC99 /usr/libexec/aout/as as [65000] Cannot reproduce. 07DEC99 /usr/bin/rpcgen rpcgen -Y [8192] revision 1.4 date: 1999/12/04 21:58:31; author: deraadt; state: Exp; lines: +6 -5 oflow Note the date very carefully. That's what I call 'proactive' 07DEC99 /usr/bin/jot jot -w [8192] (all args) revision 1.4 date: 1999/12/04 21:28:34; author: deraadt; state: Exp; lines: +8 -4 more oflows Again, note the date. 07DEC99 /usr/bin/indent set $HOME to [8192] revision 1.3 date: 1996/10/28 00:36:23; author: millert; state: Exp; lines: +7 -2 Safe $HOME usage. 03DEC99 /usr/bin/error error -I [16384] revision 1.5 date: 1999/12/04 00:16:52; author: deraadt; state: Exp; lines: +11 -9 avoid overflows 03DEC99 /usr/bin/fsplit fsplit -e [16384] We have not fixed the 10 problems in fsplit yet. We may just remove it, since noone uses it. 03DEC99 /usr/bin/grops grops -c blah [16384] Not fixed yet. 03DEC99 /usr/bin/patch patch -r [16384] patch.c: ---------------------------- revision 1.13 date: 1999/12/04 01:01:06; author: provos; state: Exp; lines: +9 -5 avoid overflows util.c revision 1.9 date: 1999/12/04 21:00:03; author: provos; state: Exp; lines: +19 -40 a few more overflows gone ---------------------------- revision 1.8 date: 1999/12/04 01:04:14; author: provos; state: Exp; lines: +3 -3 revert strlcpy to strcpy for one case. ---------------------------- revision 1.7 date: 1999/12/04 01:01:07; author: provos; state: Exp; lines: +12 -9 avoid overflows pch.c revision 1.10 date: 1999/12/04 01:01:07; author: provos; state: Exp; lines: +7 -7 avoid overflows ---------------------------- 03DEC99 /usr/bin/pr+ pr -s [16384] date: 1999/12/03 23:43:02; author: deraadt; state: Exp; lines: +8 -7 the -s option was broken; spotted by tstromberg@rtci.com on freebsd-audit, but i have not seen them fix any of the bugs That one includes a little bit of realistic commentary. 03DEC99 /usr/bin/ypcat+ ypcat -d [16384] blah This bug was fixed almost 4 years ago. 03DEC99 /usr/libexec/aout/as stdin overflow, echo [16384] | as -I This bug still exists. 30NOV99 /usr/bin/awk awk -f [8192] We use a different awk; the true Kernighan version. That said, we found other bugs and fixed them: revision 1.8 date: 1999/12/04 00:12:25; author: millert; state: Exp; lines: +6 -2 Fix 2 core dumps: 1) give an error if the user specifies > 20 -f options instead of oflowing 2) use snprintf in the ERROR macro to avoid an oflow 30NOV99 /usr/bin/ee set $NLSPATH to [32769] 30NOV99 /usr/bin/doscmd doscmd [4000] Not in OpenBSD. 30NOV99 /usr/bin/dnsquery dnsquery [4000] revision 1.4 date: 1999/12/04 00:22:34; author: deraadt; state: Exp; lines: +15 -4 avoid overflow 30NOV99 /usr/bin/dig dig -k [16000] This is a disaster. We've not fixed it yet. 30NOV99 /usr/bin/crunchgen crunchgen [8192] revision 1.15 date: 1999/12/06 01:47:58; author: deraadt; state: Exp; lines: +46 -16 oflow fixes; provos 30NOV99 /usr/bin/colldef colldef -I [8192] Not in OpenBSD. 30NOV99 /usr/bin/captoinfo set $TERMCAP to [32769] Not reproduceable. We use brand new ncurses. 30NOV99 /usr/bin/banner+ banner [8192] Must have been a bug introduced by FreeBSD. 30NOV99 /usr/bin/as as [8192] Not reproduceable. 30NOV99 /usr/bin/apply startslip -d [8192] -c [8192] revision 1.6 date: 1999/12/03 23:55:18; author: deraadt; state: Exp; lines: +3 -3 off by one for string length calculation Note that FreeBSD has the same fix, but this patch went out a few hours before it was fixed in FreeBSD.... 30NOV99 /usr/bin/Mail set $HOME to [32769] revision 1.4 date: 1996/10/28 00:42:21; author: millert; state: Exp; lines: +3 -3 Ignore $HOME if > MAXPATHLEN 30NOV99 /sbin/startslip startslip -d [8192] -c [8192] 30NOV99 /sbin/natd natd -w [16384] blah Not in OpenBSD. 30NOV99 /sbin/mount_mfs mount_mfs [8192] [8192] Bug not in OpenBSD. 30NOV99 /sbin/dhclient dhclient [40000] revision 1.7 date: 1999/12/04 00:15:09; author: angelos; state: Exp; lines: +2 -2 Careful with long, command-line provided interface names. 30NOV99 /bin/red red [40000] 30NOV99 /bin/ed ed [40000] revision 1.14 date: 1998/05/18 20:36:14; author: deraadt; state: Exp; lines: +27 -13 buf oflows 15NOV99 /usr/bin/systat* race condition with bad exit I have never seen that bug. I do know of another two bugs in systat, not security related, but have not managed to reproduce them. 10NOV99 /sbin/rdump*+ dump -0 [1024] 10NOV99 /sbin/dump*+ dump -0 [1024] Numerous fixes over the years for buffer overflows, including: revision 1.25 date: 1998/11/24 01:25:47; author: deraadt; state: Exp; lines: +2 -2 Wall, and do not let tapesize overflow -------------------- revision 1.21 date: 1998/08/07 17:29:25; author: millert; state: Exp; lines: +23 -23 Use strlcpy() instead of strncpy(). Change the order of name -> raw device conversions 1) statfs the name and use that info iff the name is the mount point 2) look up name in fstab 3) treat as a device The reason for this is that the mounted filesystems may not agree with what fstab says. Anyone who has ever moved disks around and accidentally dumped and empty filesystem will know what I mean. -------------------- revision 1.9 date: 1996/09/14 03:26:02; author: millert; state: Exp; lines: +1 -2 Now uses "wall -g" so no need to be setgid tty. This makes $RSH work. Also fix buf oflow. ---- revision 1.5 date: 1996/08/02 10:26:48; author: deraadt; state: Exp; lines: +3 -3 mostly harmless buffer overflow I grant you permission to re-post this to the freebsd mailing lists. I don't post there, but you may repost this, if it helps your cause. If there is any doubt as to what the freebsd-audit project is, and how freebsd deals with code quality concerns, this should be it. But moreso, it says who OpenBSD is. OpenBSD people -- we've got a few more bugs to squish. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message