[1591] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Security hole in rusers client

daemon@ATHENA.MIT.EDU (David Holland)
Wed Aug 6 04:21:38 1997

From: David Holland <dholland@eecs.harvard.edu>
To: linux-security@redhat.com
Date: Sat, 2 Aug 1997 15:19:30 -0400 (EDT)
Cc: bugtraq@netspace.org
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

(Cc'd to bugtraq since this probably affects everyone, not just Linux...)

-----BEGIN PGP SIGNED MESSAGE-----

Thanks to David Sacerdote of OpenBSD for pointing me in the general
direction of this one.

Patch against netkit-rusers-0.10 follows. netkit-rusers-0.11 will
appear shortly.

If you don't have pgp and don't know how to un-pgp a patch mail me and
I'll send you an unsigned one.

*** rusers.c	1997/04/05 22:26:22	1.9
- --- rusers.c	1997/08/02 15:53:44
***************
*** 155,174 ****
  					days, hours, minutes, seconds);
  		}
  
  		strncpy(remote, up->uia_arr[x]->ui_utmp.ut_host,
! 		    sizeof(remote)-1);
  		if (strlen(remote) != 0)
  			sprintf(remote, "(%.16s)",
  			    up->uia_arr[x]->ui_utmp.ut_host);
  
  		if (longopt) {
! 			strncpy(local, host, sizeof(local));
! 			local[sizeof(local)-1] = 0;
! 			local[HOST_WIDTH + LINE_WIDTH + 1 -
! 			    strlen(up->uia_arr[x]->ui_utmp.ut_line) - 1] = 0;
! 			strcat(local, ":");
! 			strcat(local, up->uia_arr[x]->ui_utmp.ut_line);
  
  			printf("%-8.8s %-*.*s %-12.12s %8s %.18s\n",
  			    up->uia_arr[x]->ui_utmp.ut_name,
  			    HOST_WIDTH+LINE_WIDTH+1, HOST_WIDTH+LINE_WIDTH+1, local,
- --- 155,186 ----
  					days, hours, minutes, seconds);
  		}
  
  		strncpy(remote, up->uia_arr[x]->ui_utmp.ut_host,
! 			sizeof(remote)-1);
! 		remote[sizeof(remote)-1] = 0;
! 
  		if (strlen(remote) != 0)
  			sprintf(remote, "(%.16s)",
  			    up->uia_arr[x]->ui_utmp.ut_host);
  
  		if (longopt) {
! 			/* Fit into HOST_WIDTH+LINE_WIDTH+1 chars */
! 			int len1 = strlen(host);
! 			int len2 = strlen(up->uia_arr[x]->ui_utmp.ut_line);
! 			if (len1 + len2 > HOST_WIDTH+LINE_WIDTH+1) {
! 			    int excess = len1 + len2 - HOST_WIDTH-LINE_WIDTH-1;
! 			    if (excess < len1) len1 -= excess;
! 			    else if (excess < len2) len2 -= excess;
! 			    else {
! 				/* Hmm. Probably an attack... */
! 				len1 = HOST_WIDTH;
! 				len2 = LINE_WIDTH;
! 			    }
! 			}
! 			snprintf(local, sizeof(local),
! 				 "%-.*s:%-.*%s", len1, host, len2,
! 				 up->uia_arr[x]->ui_utmp.ut_line);
  
  			printf("%-8.8s %-*.*s %-12.12s %8s %.18s\n",
  			    up->uia_arr[x]->ui_utmp.ut_name,
  			    HOST_WIDTH+LINE_WIDTH+1, HOST_WIDTH+LINE_WIDTH+1, local,

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM+Nd8zx1dyEHyT51AQGsYgQAqD+UPi73zrvCYP1Ryve6b78HW+v9aAdX
NMV5eSL0PrzZpkXuB729d9LGDB5DQVx4wud5dsV4t8VYaHXhyi2r/h0xWPAQtapf
yuQKmSuYqYqiU7L02sQfpZn6hCSvbg89H+fIv9yfzp3fVhBysl3ba7UpKzmvLq6v
2ojnl95pwKY=
=lnFR
-----END PGP SIGNATURE-----

-- 
   - David A. Holland             |    VINO project home page:
     dholland@eecs.harvard.edu    | http://www.eecs.harvard.edu/vino


home help back first fref pref prev next nref lref last post