From crawdad@gungnir.fnal.gov Wed Oct 27 19:04:00 1999
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id TAA17663 for <bugs@RT-11.MIT.EDU>; Wed, 27 Oct 1999 19:03:59 -0400
Received: from gungnir.fnal.gov by MIT.EDU with SMTP
id AA16595; Wed, 27 Oct 99 19:04:15 EDT
Received: (from crawdad@localhost)
by gungnir.fnal.gov (8.9.1/8.9.1) id SAA27618;
Wed, 27 Oct 1999 18:03:39 -0500 (CDT)
Message-Id: <199910272303.SAA27618@gungnir.fnal.gov>
Date: Wed, 27 Oct 1999 18:03:39 -0500 (CDT)
From: crawdad@fnal.gov
Reply-To: crawdad@fnal.gov
To: krb5-bugs@MIT.EDU
Cc: crawdad@fnal.gov, kenh@cmf.nrl.navy.mil
Subject: user-creatable buffer overflow in ksu !!!!!
X-Send-Pr-Version: 3.99
Architecture: sun4
integers. "%[d]" matches any number of d's. Do the math.
Segmentation Fault
Discovery of a useful-length string of only d's, h's, m's or s's is
left to the reader, but can you be sure there isn't one? Two weeks
from now, what might the bugtraq community come up with?
"%dh%dm" and "%d:%02d" formats. Those were being interpretted as
minutes and seconds rather than hours and minutes. These line numbers
are relative to 1.0.6, but exactly the same bugs are in 1.1.
Index: lib/krb5/krb/str_conv.c
===================================================================
RCS file: /cvs/cd/kerberos/src/lib/krb5/krb/str_conv.c,v
retrieving revision 1.2
diff -u -r1.2 str_conv.c
--- str_conv.c 1999/06/18 20:39:27 1.2
+++ str_conv.c 1999/10/27 22:49:15
@@ -170,10 +170,10 @@
static const char dtscan_hms_stext[] = "%dh%dm%ds";
static const char dtscan_hm_notext[] = "%d:%02d";
static const char dtscan_hm_stext[] = "%dh%dm";
-static const char dtscan_days[] = "%d%[d]";
-static const char dtscan_hours[] = "%d%[h]";
-static const char dtscan_minutes[] = "%d%[m]";
-static const char dtscan_seconds[] = "%d%[s]";
+static const char dtscan_days[] = "%d%1[d]";
+static const char dtscan_hours[] = "%d%1[h]";
+static const char dtscan_minutes[] = "%d%1[m]";
+static const char dtscan_seconds[] = "%d%1[s]";
static const char dt_day_singular[] = "day";
static const char dt_day_plural[] = "days";
static const char dt_output_donly[] = "%d %s";
@@ -262,8 +262,8 @@
{ dtscan_dhms_stext, 4, 0, 1, 2, 3 },
{ dtscan_hms_notext, 3, -1, 0, 1, 2 },
{ dtscan_hms_stext, 3, -1, 0, 1, 2 },
-{ dtscan_hm_notext, 2, -1, -1, 0, 1 },
-{ dtscan_hm_stext, 2, -1, -1, 0, 1 },
+{ dtscan_hm_notext, 2, -1, 0, 1, -1 },
+{ dtscan_hm_stext, 2, -1, 0, 1, -1 },
{ dtscan_days, 2, 0, -1, -1, -1 },
{ dtscan_hours, 2, -1, 0, -1, -1 },
{ dtscan_minutes, 2, -1, -1, 0, -1 },
State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Fri Jan 7 14:07:28 2000
State-Changed-Why:
Fixed in 1.1.1
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id TAA17663 for <bugs@RT-11.MIT.EDU>; Wed, 27 Oct 1999 19:03:59 -0400
Received: from gungnir.fnal.gov by MIT.EDU with SMTP
id AA16595; Wed, 27 Oct 99 19:04:15 EDT
Received: (from crawdad@localhost)
by gungnir.fnal.gov (8.9.1/8.9.1) id SAA27618;
Wed, 27 Oct 1999 18:03:39 -0500 (CDT)
Message-Id: <199910272303.SAA27618@gungnir.fnal.gov>
Date: Wed, 27 Oct 1999 18:03:39 -0500 (CDT)
From: crawdad@fnal.gov
Reply-To: crawdad@fnal.gov
To: krb5-bugs@MIT.EDU
Cc: crawdad@fnal.gov, kenh@cmf.nrl.navy.mil
Subject: user-creatable buffer overflow in ksu !!!!!
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 780
>Category: krb5-libs
>Synopsis: krb5_string_to_deltat() bugs
>Confidential: yes
>Severity: critical
>Priority: high
>Responsible: krb5-unassigned
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Oct 27 19:05:01 EDT 1999
>Last-Modified: Fri Jan 7 14:07:38 EST 2000
>Originator: Matt Crawford
>Organization:
Fermilab>Category: krb5-libs
>Synopsis: krb5_string_to_deltat() bugs
>Confidential: yes
>Severity: critical
>Priority: high
>Responsible: krb5-unassigned
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Oct 27 19:05:01 EDT 1999
>Last-Modified: Fri Jan 7 14:07:38 EST 2000
>Originator: Matt Crawford
>Organization:
Show quoted text
>Release: krb5-1.0.6 and krb5-1.1
>Environment:
System: SunOS gungnir.fnal.gov 5.5.1 Generic_103640-24 sun4u sparc SUNW,Ultra-1>Environment:
Architecture: sun4
Show quoted text
>Description:
krb5_string_to_deltat use sscanf strings like "%d%[d]" to scan intointegers. "%[d]" matches any number of d's. Do the math.
Show quoted text
>How-To-Repeat:
% ksu -r 3dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd Segmentation Fault
Discovery of a useful-length string of only d's, h's, m's or s's is
left to the reader, but can you be sure there isn't one? Two weeks
from now, what might the bugtraq community come up with?
Show quoted text
>Fix:
The following patch fixes the above and also a an error in parsing the"%dh%dm" and "%d:%02d" formats. Those were being interpretted as
minutes and seconds rather than hours and minutes. These line numbers
are relative to 1.0.6, but exactly the same bugs are in 1.1.
Index: lib/krb5/krb/str_conv.c
===================================================================
RCS file: /cvs/cd/kerberos/src/lib/krb5/krb/str_conv.c,v
retrieving revision 1.2
diff -u -r1.2 str_conv.c
--- str_conv.c 1999/06/18 20:39:27 1.2
+++ str_conv.c 1999/10/27 22:49:15
@@ -170,10 +170,10 @@
static const char dtscan_hms_stext[] = "%dh%dm%ds";
static const char dtscan_hm_notext[] = "%d:%02d";
static const char dtscan_hm_stext[] = "%dh%dm";
-static const char dtscan_days[] = "%d%[d]";
-static const char dtscan_hours[] = "%d%[h]";
-static const char dtscan_minutes[] = "%d%[m]";
-static const char dtscan_seconds[] = "%d%[s]";
+static const char dtscan_days[] = "%d%1[d]";
+static const char dtscan_hours[] = "%d%1[h]";
+static const char dtscan_minutes[] = "%d%1[m]";
+static const char dtscan_seconds[] = "%d%1[s]";
static const char dt_day_singular[] = "day";
static const char dt_day_plural[] = "days";
static const char dt_output_donly[] = "%d %s";
@@ -262,8 +262,8 @@
{ dtscan_dhms_stext, 4, 0, 1, 2, 3 },
{ dtscan_hms_notext, 3, -1, 0, 1, 2 },
{ dtscan_hms_stext, 3, -1, 0, 1, 2 },
-{ dtscan_hm_notext, 2, -1, -1, 0, 1 },
-{ dtscan_hm_stext, 2, -1, -1, 0, 1 },
+{ dtscan_hm_notext, 2, -1, 0, 1, -1 },
+{ dtscan_hm_stext, 2, -1, 0, 1, -1 },
{ dtscan_days, 2, 0, -1, -1, -1 },
{ dtscan_hours, 2, -1, 0, -1, -1 },
{ dtscan_minutes, 2, -1, -1, 0, -1 },
Show quoted text
>Audit-Trail:
State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Fri Jan 7 14:07:28 2000
State-Changed-Why:
Fixed in 1.1.1
Show quoted text
>Unformatted: