On Sat, Feb 26, 2005 at 06:43:08PM -0800, Brian Dessent wrote: > >In kill.cc there exists the possibility to overflow the "char buf[80]" >array by supplying malformed command line arguments. > >An attacker could use this to overwrite the return value on the stack >and execute arbitrary code, but the amount of space available on the >stack for shellcode is approx 108 bytes so you'd have to be mighty >creative to do anything significant with it. A far-fetched scenario >might be some kind of perl or other CGI script running under Apache that >somehow allows a user-specified signal name to reach the command line of >/bin/kill. Emphasis on the "far-fetched" part though. > >Example: > >$ /bin/kill -s `perl -e 'print "A"x200'` >Segmentation fault (core dumped) > >As far as I can tell from CVS history this has existed in kill.cc since >its first version (~5 years.) Trivial patch below. > >2005-02-26 Brian Dessent <[EMAIL PROTECTED]> > > * kill.cc (getsig): Use snprintf to prevent overflowing `buf'.
Thanks for the patch. Call me old-fashioned, but my first inclination in a case like this would be to just limit the format spec to avoid overflow. So, I've checked in a patch which does this. cgf