[19256] in bugtraq
Re: vixie cron possible local root compromise
daemon@ATHENA.MIT.EDU (Flavio Veloso)
Fri Feb 16 12:39:56 2001
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=iso-8859-1
Content-Transfer-Encoding: 8BIT
Message-Id: <Pine.LNX.4.21.0102161234280.16151-100000@hydrogenium.bogus.mirasystems.com.br>
Date: Fri, 16 Feb 2001 12:37:14 -0200
Reply-To: Flavio Veloso <flaviovs@MAGNUX.COM.BR>
From: Flavio Veloso <flaviovs@MAGNUX.COM.BR>
X-To: Peter W <peterw@USA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010215145856.C14744@usa.net>
On Thu, 15 Feb 2001, Peter W wrote:
> I can't believe how much has been written about an issue
> that's apparently fixed with a few lines of code.
>
> More patches, less pedantic finger pointing. Bottom line
> is the app does not, cannot enforce length constraints on
> usernames, so it needs to do proper bounds checking.
Here's the patch. It doen't matter how big is the limit of user names
on the system, it just doesn't allow people to stuff crontab with data
that it can't handle.
diff -Nru cron3.0pl1.orig/crontab.c cron3.0pl1/crontab.c
--- cron3.0pl1.orig/crontab.c Tue Feb 13 14:39:04 2001
+++ cron3.0pl1/crontab.c Tue Feb 13 14:43:47 2001
@@ -143,6 +143,13 @@
fprintf(stderr, "bailing out.\n");
exit(ERROR_EXIT);
}
+ if ( strlen(pw->pw_name) > (sizeof(User)-1) )
+ {
+ fprintf(stderr, "%s: your login name is too long.\n",
+ ProgramName);
+ fprintf(stderr, "bailing out.\n");
+ exit(ERROR_EXIT);
+ }
strcpy(User, pw->pw_name);
strcpy(RealUser, User);
Filename[0] = '\0';
--
Flavio
