Date: 4 Feb 1997 04:28:10 -0000 From: tenser@spitfire.ecsel.psu.edu To: FreeBSD-gnats-submit@freebsd.org Subject: misc/2654: Patches for locale buffer overruns for 2.1 and 2.2. Message-ID: <19970204042810.1233.qmail@spitfire.ecsel.psu.edu> Resent-Message-ID: <199702040430.UAA16983@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 2654
>Category: misc
>Synopsis: Patches for locale buffer overruns (2.1.x, 2.2)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Feb 3 20:30:02 PST 1997
>Last-Modified:
>Originator: Dan Cross
>Organization:
The Pennsylvania State University, Department of Mathematics
>Release: FreeBSD 2.2-CURRENT i386
>Environment:
FreeBSD 2.1.6-RELEASE and a kind of dated 2.2-CURRENT.
My current version of FreeBSD on this machine is rather dated;
stemming from last September. I apologize, but I am going to
guess that my patches might install cleanly.
>Description:
These are the patches that I posted to security@ regarding
the locale buffer overruns in the CSU code under 2.1, and
in the locale library functions in 2.2. I remember the
last time I submitted patches, someone told me to use send-pr,
so... :-)
>How-To-Repeat:
See the recent posts to Bugtraq and security@
>Fix:
The following are two sets of patches, one for 2.1, the other
for 2.2, repsectively. Although there is great overlap in what
was changed, the two versions were disparate enough that I felt
two sets of patches would be benficial. Thanks!
(Please note; these patches compile on my systems, but I have
not tested them thoroughly, and I'm not certain that they take
care of every possible security bug in the locale code, but I
think they might be of some use as a base for an official patch.
Caveat emptor.)
- Dan C.
----- Begin locale-2.1.diff
*** collate.c 1997/02/04 02:49:05 1.1
--- collate.c 1997/02/04 02:54:58
***************
*** 66,75 ****
return -1;
if (!path_locale && !(path_locale = getenv("PATH_LOCALE")))
path_locale = _PATH_LOCALE;
! strcpy(buf, path_locale);
! strcat(buf, "/");
! strcat(buf, encoding);
! strcat(buf, "/LC_COLLATE");
if ((fp = fopen(buf, "r")) == NULL)
return -1;
FREAD(__collate_charmap_table, sizeof(__collate_charmap_table), 1, fp);
--- 66,73 ----
return -1;
if (!path_locale && !(path_locale = getenv("PATH_LOCALE")))
path_locale = _PATH_LOCALE;
! (void)snprintf(buf,
! PATH_MAX, "%s/%s/LC_COLLATE", path_locale, encoding);
if ((fp = fopen(buf, "r")) == NULL)
return -1;
FREAD(__collate_charmap_table, sizeof(__collate_charmap_table), 1, fp);
*** rune.c 1997/02/04 03:18:28 1.1
--- rune.c 1997/02/04 03:19:21
***************
*** 74,83 ****
if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE")))
PathLocale = _PATH_LOCALE;
! (void) strcpy(name, PathLocale);
! (void) strcat(name, "/");
! (void) strcat(name, encoding);
! (void) strcat(name, "/LC_CTYPE");
if ((fp = fopen(name, "r")) == NULL)
return(ENOENT);
--- 74,81 ----
if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE")))
PathLocale = _PATH_LOCALE;
! (void)snprintf(name,
! PATH_MAX, "%s/%s/LC_CTYPE", PathLocale, encoding);
if ((fp = fopen(name, "r")) == NULL)
return(ENOENT);
*** setlocale.c 1997/02/04 03:22:26 1.1
--- setlocale.c 1997/02/04 03:22:54
***************
*** 198,201 ****
--- 198,203 ----
case LC_NUMERIC:
return (NULL);
}
+
+ return(NULL); /* 2.2 has this with the comment, ``Just in Case'' */
}
*** startup_setlocale.c 1997/02/03 07:40:46 1.1
--- startup_setlocale.c 1997/02/03 07:41:47
***************
*** 174,183 ****
return(0);
}
! (void) strcpy(name, PathLocale);
! (void) strcat(name, "/");
! (void) strcat(name, encoding);
! (void) strcat(name, "/LC_CTYPE");
if ((fp = fopen(name, "r")) == NULL)
return(ENOENT);
--- 174,181 ----
return(0);
}
! (void) snprintf(name,
! PATH_MAX, "%s/%s/LC_CTYPE", PathLocale, encoding);
if ((fp = fopen(name, "r")) == NULL)
return(ENOENT);
----- End locale-2.1.diff
And here is the stuff for 2.2:
----- Begin locale-2.2.diff
*** collate.c 1997/02/03 23:45:56 1.1
--- collate.c 1997/02/03 23:49:55
***************
*** 71,80 ****
return 0;
if (!_PathLocale && !(_PathLocale = getenv("PATH_LOCALE")))
_PathLocale = _PATH_LOCALE;
! strcpy(buf, _PathLocale);
! strcat(buf, "/");
! strcat(buf, encoding);
! strcat(buf, "/LC_COLLATE");
if ((fp = fopen(buf, "r")) == NULL) {
__collate_load_error = save_load_error;
return -1;
--- 71,78 ----
return 0;
if (!_PathLocale && !(_PathLocale = getenv("PATH_LOCALE")))
_PathLocale = _PATH_LOCALE;
! (void)snprintf(buf,
! PATH_MAX, "%s/%s/LC_COLLATE", _PathLocale, encoding);
if ((fp = fopen(buf, "r")) == NULL) {
__collate_load_error = save_load_error;
return -1;
*** setrunelocale.c 1997/02/03 23:47:15 1.1
--- setrunelocale.c 1997/02/03 23:48:19
***************
*** 86,95 ****
if (!_PathLocale && !(_PathLocale = getenv("PATH_LOCALE")))
_PathLocale = _PATH_LOCALE;
! (void) strcpy(name, _PathLocale);
! (void) strcat(name, "/");
! (void) strcat(name, encoding);
! (void) strcat(name, "/LC_CTYPE");
if ((fp = fopen(name, "r")) == NULL)
return(ENOENT);
--- 86,93 ----
if (!_PathLocale && !(_PathLocale = getenv("PATH_LOCALE")))
_PathLocale = _PATH_LOCALE;
! (void)snprintf(name,
! PATH_MAX, "%s/%s/LC_CTYPE", _PathLocale, encoding);
if ((fp = fopen(name, "r")) == NULL)
return(ENOENT);
----- End locale-2.2.diff
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970204042810.1233.qmail>