Subject: misc/2628: security loophole in rdist
To: None <gnats-bugs@NetBSD.ORG>
From: None <david@mono.org>
List: netbsd-bugs
Date: 07/15/1996 12:55:39
>Number: 2628
>Category: misc
>Synopsis: security loophole in rdist
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: misc-bug-people (Misc Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Jul 15 08:20:01 1996
>Last-Modified:
>Originator: David Brownlee
>Organization:
Monochrome (<a href="http://www.mono.org/">Monochrome</a>)
>Release: 1.2_BETA
>Environment:
System: NetBSD orwell.southern.net 1.2_BETA NetBSD 1.2_BETA (_SUN4C_)
>Description:
Buffer overflow loophole in usr.bin/rdist/lookup.c
>How-To-Repeat:
Overflow a buffer in the traditional way...
>Fix:
*** usr.bin/rdist/lookup.c.old Mon Jul 15 12:44:13 1996
--- usr.bin/rdist/lookup.c Mon Jul 15 12:43:48 1996
***************
*** 142,148 ****
continue;
if (action != LOOKUP) {
if (action != INSERT || s->s_type != CONST) {
! (void)sprintf(buf, "%s redefined", name);
yyerror(buf);
}
}
--- 142,149 ----
continue;
if (action != LOOKUP) {
if (action != INSERT || s->s_type != CONST) {
! (void)snprintf(buf, sizeof(buf),
! "%s redefined", name);
yyerror(buf);
}
}
***************
*** 150,156 ****
}
if (action == LOOKUP) {
! (void)sprintf(buf, "%s undefined", name);
yyerror(buf);
return(NULL);
}
--- 151,157 ----
}
if (action == LOOKUP) {
! (void)snprintf(buf, sizeof(buf), "%s undefined", name);
yyerror(buf);
return(NULL);
}
>Audit-Trail:
>Unformatted: