From owner-freebsd-bugs  Sun Oct 27 08:30:05 1996
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id IAA29637
          for bugs-outgoing; Sun, 27 Oct 1996 08:30:05 -0800 (PST)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id IAA29630;
          Sun, 27 Oct 1996 08:30:03 -0800 (PST)
Resent-Date: Sun, 27 Oct 1996 08:30:03 -0800 (PST)
Resent-Message-Id: <199610271630.IAA29630@freefall.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org,
        Received:  (from nobody@localhost)by.freefall.freebsd.org.id.IAA29355;Sun; (8.7.5/8.7.3);,
        27 Oct 1996 08:22:36.-0800 (PST)
Message-Id: <199610271622.IAA29355@freefall.freebsd.org>
Date: Sun, 27 Oct 1996 08:22:36 -0800 (PST)
From: tqbf@enteract.com
To: freebsd-gnats-submit@freebsd.org
X-Send-Pr-Version: www-1.0
Subject: bin/1905: There's a buffer overflow in FreeBSD libc glob()
Sender: owner-bugs@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         1905
>Category:       bin
>Synopsis:       There's a buffer overflow in FreeBSD libc glob()
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 27 08:30:02 PST 1996
>Last-Modified:
>Originator:     Thomas Ptacek
>Organization:
EnterAct, L.L.C.
>Release:        FreeBSD 2.1.5-RELEASE
>Environment:
FreeBSD adam 2.1-STABLE FreeBSD 2.1-STABLE #0: Mon Sep  9 03:07:45 CDT 1996
tqbf@adam:/home1/src/sys/compile/ADAMSTOMP  i386
>Description:
glob0() calls globtilde() immediately, passing it a pointer to 
an array in glob0's stack frame. globtilde() will copy the 
contents of the HOME environment variable over this pointer without
bounds checking.
>How-To-Repeat:

>Fix:

>Audit-Trail:
>Unformatted: