From owner-freebsd-bugs Mon Feb 3 20:30:09 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id UAA16995 for bugs-outgoing; Mon, 3 Feb 1997 20:30:09 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id UAA16983; Mon, 3 Feb 1997 20:30:04 -0800 (PST) Resent-Date: Mon, 3 Feb 1997 20:30:04 -0800 (PST) Resent-Message-Id: <199702040430.UAA16983@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, tenser@spitfire.ecsel.psu.edu Received: from spitfire.ecsel.psu.edu (qmailr@spitfire.ecsel.psu.edu [146.186.218.51]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id UAA16887 for ; Mon, 3 Feb 1997 20:28:14 -0800 (PST) Received: (qmail 1234 invoked by uid 1000); 4 Feb 1997 04:28:10 -0000 Message-Id: <19970204042810.1233.qmail@spitfire.ecsel.psu.edu> Date: 4 Feb 1997 04:28:10 -0000 From: tenser@spitfire.ecsel.psu.edu Reply-To: tenser@spitfire.ecsel.psu.edu To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: misc/2654: Patches for locale buffer overruns for 2.1 and 2.2. Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 2654 >Category: misc >Synopsis: Patches for locale buffer overruns (2.1.x, 2.2) >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Feb 3 20:30:02 PST 1997 >Last-Modified: >Originator: Dan Cross >Organization: The Pennsylvania State University, Department of Mathematics >Release: FreeBSD 2.2-CURRENT i386 >Environment: FreeBSD 2.1.6-RELEASE and a kind of dated 2.2-CURRENT. My current version of FreeBSD on this machine is rather dated; stemming from last September. I apologize, but I am going to guess that my patches might install cleanly. >Description: These are the patches that I posted to security@ regarding the locale buffer overruns in the CSU code under 2.1, and in the locale library functions in 2.2. I remember the last time I submitted patches, someone told me to use send-pr, so... :-) >How-To-Repeat: See the recent posts to Bugtraq and security@ >Fix: The following are two sets of patches, one for 2.1, the other for 2.2, repsectively. Although there is great overlap in what was changed, the two versions were disparate enough that I felt two sets of patches would be benficial. Thanks! (Please note; these patches compile on my systems, but I have not tested them thoroughly, and I'm not certain that they take care of every possible security bug in the locale code, but I think they might be of some use as a base for an official patch. Caveat emptor.) - Dan C. ----- Begin locale-2.1.diff *** collate.c 1997/02/04 02:49:05 1.1 --- collate.c 1997/02/04 02:54:58 *************** *** 66,75 **** return -1; if (!path_locale && !(path_locale = getenv("PATH_LOCALE"))) path_locale = _PATH_LOCALE; ! strcpy(buf, path_locale); ! strcat(buf, "/"); ! strcat(buf, encoding); ! strcat(buf, "/LC_COLLATE"); if ((fp = fopen(buf, "r")) == NULL) return -1; FREAD(__collate_charmap_table, sizeof(__collate_charmap_table), 1, fp); --- 66,73 ---- return -1; if (!path_locale && !(path_locale = getenv("PATH_LOCALE"))) path_locale = _PATH_LOCALE; ! (void)snprintf(buf, ! PATH_MAX, "%s/%s/LC_COLLATE", path_locale, encoding); if ((fp = fopen(buf, "r")) == NULL) return -1; FREAD(__collate_charmap_table, sizeof(__collate_charmap_table), 1, fp); *** rune.c 1997/02/04 03:18:28 1.1 --- rune.c 1997/02/04 03:19:21 *************** *** 74,83 **** if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; ! (void) strcpy(name, PathLocale); ! (void) strcat(name, "/"); ! (void) strcat(name, encoding); ! (void) strcat(name, "/LC_CTYPE"); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); --- 74,81 ---- if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; ! (void)snprintf(name, ! PATH_MAX, "%s/%s/LC_CTYPE", PathLocale, encoding); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); *** setlocale.c 1997/02/04 03:22:26 1.1 --- setlocale.c 1997/02/04 03:22:54 *************** *** 198,201 **** --- 198,203 ---- case LC_NUMERIC: return (NULL); } + + return(NULL); /* 2.2 has this with the comment, ``Just in Case'' */ } *** startup_setlocale.c 1997/02/03 07:40:46 1.1 --- startup_setlocale.c 1997/02/03 07:41:47 *************** *** 174,183 **** return(0); } ! (void) strcpy(name, PathLocale); ! (void) strcat(name, "/"); ! (void) strcat(name, encoding); ! (void) strcat(name, "/LC_CTYPE"); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); --- 174,181 ---- return(0); } ! (void) snprintf(name, ! PATH_MAX, "%s/%s/LC_CTYPE", PathLocale, encoding); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); ----- End locale-2.1.diff And here is the stuff for 2.2: ----- Begin locale-2.2.diff *** collate.c 1997/02/03 23:45:56 1.1 --- collate.c 1997/02/03 23:49:55 *************** *** 71,80 **** return 0; if (!_PathLocale && !(_PathLocale = getenv("PATH_LOCALE"))) _PathLocale = _PATH_LOCALE; ! strcpy(buf, _PathLocale); ! strcat(buf, "/"); ! strcat(buf, encoding); ! strcat(buf, "/LC_COLLATE"); if ((fp = fopen(buf, "r")) == NULL) { __collate_load_error = save_load_error; return -1; --- 71,78 ---- return 0; if (!_PathLocale && !(_PathLocale = getenv("PATH_LOCALE"))) _PathLocale = _PATH_LOCALE; ! (void)snprintf(buf, ! PATH_MAX, "%s/%s/LC_COLLATE", _PathLocale, encoding); if ((fp = fopen(buf, "r")) == NULL) { __collate_load_error = save_load_error; return -1; *** setrunelocale.c 1997/02/03 23:47:15 1.1 --- setrunelocale.c 1997/02/03 23:48:19 *************** *** 86,95 **** if (!_PathLocale && !(_PathLocale = getenv("PATH_LOCALE"))) _PathLocale = _PATH_LOCALE; ! (void) strcpy(name, _PathLocale); ! (void) strcat(name, "/"); ! (void) strcat(name, encoding); ! (void) strcat(name, "/LC_CTYPE"); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); --- 86,93 ---- if (!_PathLocale && !(_PathLocale = getenv("PATH_LOCALE"))) _PathLocale = _PATH_LOCALE; ! (void)snprintf(name, ! PATH_MAX, "%s/%s/LC_CTYPE", _PathLocale, encoding); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); ----- End locale-2.2.diff >Audit-Trail: >Unformatted: