Date: Mon, 16 Dec 1996 15:16:04 -0700 From: Warner Losh <imp@village.org> To: Marc Slemko <marcs@znep.com> Cc: Dmitry Valdov <dv@kis.ru>, freebsd-bugs@freebsd.org, freebsd-security@freebsd.org Subject: Re: crontab security hole Message-ID: <E0vZlKO-0005ST-00@rover.village.org> In-Reply-To: Your message of "Mon, 16 Dec 1996 06:51:33 MST." <Pine.BSF.3.95.961216064624.7792B-100000@alive.ampr.ab.ca> References: <Pine.BSF.3.95.961216064624.7792B-100000@alive.ampr.ab.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.BSF.3.95.961216064624.7792B-100000@alive.ampr.ab.ca> Marc Slemko writes: : It was fixed in -stable the other day by pst. The patch, pulled : from the CVS tree, follows. : : Index: cron/database.c : =================================================================== : RCS file: /usr/cvs/src/usr.sbin/cron/cron/database.c,v : retrieving revision 1.1.1.1 : retrieving revision 1.1.1.1.6.1 : diff -c -r1.1.1.1 -r1.1.1.1.6.1 : *** database.c 1994/08/27 13:43:03 1.1.1.1 : --- database.c 1996/12/15 20:37:47 1.1.1.1.6.1 : *************** : *** 112,119 **** : if (dp->d_name[0] == '.') : continue; : : ! (void) strcpy(fname, dp->d_name); : ! sprintf(tabname, CRON_TAB(fname)); : : process_crontab(fname, fname, tabname, : &statbuf, &new_db, old_db); : --- 112,119 ---- : if (dp->d_name[0] == '.') : continue; : : ! (void)snprintf(fname, sizeof fname, "%s", dp->d_name); : ! (void)snprintf(tabname, sizeof tabname, CRON_TAB(fname)); strncpy(fname, dp->d_name, sizeof(fname)-1 ); fname[sizeof(fname)-1] = '\0'; strncpy(tabname, CRON_TAB(fname), sizeof(tabname)-1 ); tabname[sizeof(tabname)-1] = '\0'; : process_crontab(fname, fname, tabname, : &statbuf, &new_db, old_db); ... etc ... would be a better fix since that doesn't involve stdio... Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0vZlKO-0005ST-00>