Skip Menu |
 

Download (untitled) / with headers
text/plain 3.5KiB
From bbense@telemark.stanford.edu Mon Mar 23 15:52:19 1998
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id PAA24284 for <bugs@RT-11.MIT.EDU>; Mon, 23 Mar 1998 15:52:19 -0500
Received: from telemark.Stanford.EDU by MIT.EDU with SMTP
id AA19104; Mon, 23 Mar 98 15:52:52 EST
Received: by telemark.stanford.edu (8.9.0.Beta1/8.7.3) id MAA19536; Mon, 23 Mar 1998 12:52:15 -0800 (PST)
Message-Id: <Pine.GSO.3.96.980323124822.18505D-100000@telemark.stanford.edu>
Date: Mon, 23 Mar 1998 12:52:15 -0800 (PST)
From: Booker Bense <bbense@networking.stanford.edu>
To: krb5-bugs@MIT.EDU
Subject: Buffer overun in Version 1.0.5 appl/bsd/login.c

Show quoted text
>Number: 571
>Category: krb5-appl
>Synopsis: Buffer overun in Version 1.0.5 appl/bsd/login.c
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Mar 23 15:53:00 EST 1998
>Last-Modified: Sat May 16 17:28:00 EDT 1998
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:

Responsible-Changed-From-To: gnats-admin->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Fri Mar 27 19:49:20 1998
Responsible-Changed-Why:

Refiled.

State-Changed-From-To: open-analyzed
State-Changed-By: tlyu
State-Changed-When: Fri Mar 27 19:49:39 1998
State-Changed-Why:

This doesn't look too serious, though still not certain if it's
exploitable.

State-Changed-From-To: analyzed-closed
State-Changed-By: tlyu
State-Changed-When: Sat May 16 17:26:58 1998
State-Changed-Why:

Fixed

src/appl/bsd/login.c 5.70


From: Tom Yu <tlyu@MIT.EDU>
To: bbense@networking.stanford.edu
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-appl/571: Buffer overun in Version 1.0.5 appl/bsd/login.c
Date: Sat, 16 May 1998 17:26:51 -0400

Thanks for the report; I've fixed the strcpy invocations that you've
noted, as well as a few others. Note that strncpy by itself is not
safe, as it can leave off a terminating nul under some conditions;
I've therefore added explicit nul terminations follow calls to
strncpy.

---Tom
Show quoted text
>Unformatted:
- Forgive me if I'm being overly paranoid, but
I was poking around in login.c and found these
potential buffer overruns. Exploiting them
might be difficult, but they are there.

- Booker c. Bense

*** login.c Mon Mar 23 12:44:09 1998
--- login.c~ Fri Feb 6 19:41:18 1998
***************
*** 487,493 ****
unlink(ccfile+strlen("FILE:"));
} else {
/* note it correctly */
! strncpy(ccfile, getenv(KRB5_ENV_CCNAME),sizeof(ccfile));
}

#ifdef KRB4_GET_TICKETS
--- 487,493 ----
unlink(ccfile+strlen("FILE:"));
} else {
/* note it correctly */
! strcpy(ccfile, getenv(KRB5_ENV_CCNAME));
}

#ifdef KRB4_GET_TICKETS
***************
*** 617,623 ****
} else {
/* get_name pulls out just the name not the
type */
! strncpy(ccfile, krb5_cc_get_name(kcontext, ccache),sizeof(ccfile));
krbflag = got_v5_tickets = 1;
return 1;
}
--- 617,623 ----
} else {
/* get_name pulls out just the name not the
type */
! strcpy(ccfile, krb5_cc_get_name(kcontext, ccache));
krbflag = got_v5_tickets = 1;
return 1;
}
***************
*** 708,714 ****
return 0;
}
got_v4_tickets = 1;
! strncpy(tkfile, tkt_string(),sizeof(tkfile));
return 1;
}
#endif
--- 708,714 ----
return 0;
}
got_v4_tickets = 1;
! strcpy(tkfile, tkt_string());
return 1;
}
#endif