[CVS server local bug. Please update -- Raju] This is an RFC 1153 digest. (1 message) ----------------------------------------------------------------------
Message-ID: <[EMAIL PROTECTED]> From: "david evlis reign" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: [DER ADV#8] - Local off by one in CVSD Date: Sat, 25 May 2002 08:08:55 +0000 Local off by one overflow in CVSD. intro: the family of scanf functions (scanf, sscanf, fscanf) are generally insecure in usage and steps have been taken to make them more...secure you might say like adding bounds checking (sscanf(hey, "%.4096s %d", buffer, int)) but the function still remains quite insecure, to a lesser known bug like an off by one. WRONG: char buf[10]; int i; sscanf(hey, "%.10s", buf); <-- boundary checks ten bytes... RIGHT: char buf[10]; int i; sscanf(hey, "%.9s" buf); <-- see! therefore in the first example (WRONG) the last byte into buf will exeed the allocated space (10 bytes) by one byte. woops. (http://www.hert.org/papers/klog-1.html <-- nice article) details: in cvs-1.11/src/rcs.c: info = findnode (vers->other_delta, "special"); if (info != NULL) { /* If the size of `devtype' changes, fix the sscanf call also */ char devtype[16]; <-- SIXTEEN BYTES if (sscanf (info->data, "%16s %lu", <-- WOOPS SHOULD BE 15 devtype, &devnum_long) < 2) error (1, 0, "%s:%s has bad `special' newphrase %s", workfile, vers->version, info->data); devnum = devnum_long; if (STREQ (devtype, "character")) special_file = S_IFCHR; else if (STREQ (devtype, "block")) special_file = S_IFBLK; else error (0, 0, "%s is a special file of unsupported type `%s'", workfile, info->data); } } this is only a locally exploitable hole since the data is read from info->data which in turn is from a symlinked local file (heh, you know where to find it); we at der sys have created the following patch: __END_OF_PATCH; ########################## #DER PATCH FOR CVS < 1.11# ########################## --- rcs_old.c Mon Jan 25 02:05:16 2002 +++ rcs.c Mon Jan 25 02:05:40 2002 --- 4238: if (sscanf (info->data, "%16s %lu", +++ 4238: if (sscanf (info->data, "%.15s %lu", devtype, &devnum_long) < 2) error (1, 0, "%s:%s has bad `special' newphrase %s", workfile, vers->version, info->data); __END_OF_PATCH; vendor notification: nope. _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx ------------------------------ End of this Digest ****************** -- Raju Mathur [EMAIL PROTECTED] http://kandalaya.org/ It is the mind that moves ================================================ To subscribe, send email to [EMAIL PROTECTED] with subscribe in subject header To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject header Archives are available at http://www.mail-archive.com/ilugd%40wpaa.org =================================================
