Date: Thu, 23 Mar 2000 15:45:39 -0500 (EST) From: Mikhail Teterin <mi@video-collage.com> To: FreeBSD-gnats-submit@FreeBSD.org Cc: ume@FreeBSD.org, bill@gkrellm.net Subject: ports/17573: gkrellm defaults to the wrong mbox location, uses sprintf unsafely Message-ID: <200003232045.PAA83658@dufus.video-collage.com>
next in thread | raw e-mail | index | archive | help
>Number: 17573 >Category: ports >Synopsis: gkrellm defaults to the wrong mbox location, uses sprintf unsafely >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Mar 23 12:50:02 PST 2000 >Closed-Date: >Last-Modified: >Originator: Mikhail Teterin >Release: FreeBSD 4.0-CURRENT i386 >Organization: Virtual Estates, Inc. >Environment: >Description: The wrong (for BSD) path /var/spool/mail/%s is hardcoded in mail.c instead of /var/mail/%s ... Easy enough :) The length of the buffer (128) seems a bit "off-the-wall". Normally, a user-name is below 8 or 16 characters... This patch also addresses the security hole, exploitable by setting USER environment variable to something very-very long, but there are plenty of other spots where sprintf is used instead of snprintf to construct strings in buffers. A program, that wants to be installed suid should, probably, use snprintf exclusively (or, even better -- strncat -- if it just the concatenation that's needed). >How-To-Repeat: >Fix: Put the following into the port's patches/patch-mail : --- mail.c Fri Mar 10 16:04:25 2000 +++ mail.c Thu Mar 23 15:24:21 2000 @@ -885,3 +885,3 @@ { - sprintf(buf, "/var/spool/mail/%s", s); + snprintf(buf, 127, "/var/mail/%s", s); s = buf; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200003232045.PAA83658>