Date: Sun, 27 Oct 1996 08:22:36 -0800 (PST) From: tqbf@enteract.com To: freebsd-gnats-submit@freebsd.org Subject: bin/1905: There's a buffer overflow in FreeBSD libc glob() Message-ID: <199610271622.IAA29355@freefall.freebsd.org> Resent-Message-ID: <199610271630.IAA29630@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1905 >Category: bin >Synopsis: There's a buffer overflow in FreeBSD libc glob() >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Oct 27 08:30:02 PST 1996 >Last-Modified: >Originator: Thomas Ptacek >Organization: EnterAct, L.L.C. >Release: FreeBSD 2.1.5-RELEASE >Environment: FreeBSD adam 2.1-STABLE FreeBSD 2.1-STABLE #0: Mon Sep 9 03:07:45 CDT 1996 tqbf@adam:/home1/src/sys/compile/ADAMSTOMP i386 >Description: glob0() calls globtilde() immediately, passing it a pointer to an array in glob0's stack frame. globtilde() will copy the contents of the HOME environment variable over this pointer without bounds checking. >How-To-Repeat: >Fix: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610271622.IAA29355>