[34502] in bugtraq
Re: GNU Sharutils buffer overflow vulnerability.
daemon@ATHENA.MIT.EDU (Dan Yefimov)
Sat Apr 10 21:29:30 2004
Date: Sun, 11 Apr 2004 00:14:48 +0400 (MSD)
From: Dan Yefimov <dan@D00M.integrate.com.ru>
To: =?iso-8859-1?q?Shaun=20Colley?= <shaunige@yahoo.co.uk>
Cc: bugtraq@securityfocus.com, <full-disclosure-request@lists.netsys.com>
In-Reply-To: <20040406190415.85818.qmail@web25109.mail.ukl.yahoo.com>
Message-ID: <Pine.LNX.4.44.0404102351430.6425-200000@D00M.integrate.com.ru>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-263133340-1810121764-1081628088=:6425"
---263133340-1810121764-1081628088=:6425
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Tue, 6 Apr 2004, [iso-8859-1] Shaun Colley wrote:
> I have written a simple patch below to fix the buffer
> overflow bug:
>
>
> --- shar-bof.patch ---
>
> --- shar.1.c 2004-04-06 16:26:55.000000000 +0100
> +++ shar.c 2004-04-06 16:32:32.000000000 +0100
> @@ -1905,7 +1905,7 @@
> break;
>
> case 'o':
> - strcpy (output_base_name, optarg);
> + strncpy (output_base_name, optarg,
> sizeof(output_base_name));
> if (!strchr (output_base_name, '%'))
> strcat (output_base_name, ".%02d");
> part_number = 0;
> --- EOF ---
>
Your patch isn't quite correct since you at least forgot about
strcat(output_base_name, ".%02d") following patched code. You didn't also
notice subsequent using output_base_name as a format string which may produce
overflow of output_filename[] because of unnoticed percent symbols passed in.
Attached a patch accounting for that.
--
Sincerely Your, Dan.
---263133340-1810121764-1081628088=:6425
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="sharutils-4.2.1-bof.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.44.0404110014480.6425@D00M.integrate.com.ru>
Content-Description:
Content-Disposition: attachment; filename="sharutils-4.2.1-bof.patch"
LS0tIHNyYy9zaGFyLm9yaWcuYwkyMDA0LTA0LTA3IDE2OjE4OjIzLjAwMDAw
MDAwMCArMDEwMA0KKysrIHNyYy9zaGFyLmMJMjAwNC0wNC0wNyAxNjozOTow
NC4wMDAwMDAwMDAgKzAxMDANCkBAIC0yMTIsMTAgKzIxMiwxMCBAQA0KIHN0
YXRpYyBsb25nIGZpcnN0X2ZpbGVfcG9zaXRpb247DQogDQogLyogQmFzZSBm
b3Igb3V0cHV0IGZpbGVuYW1lLiAgRklYTUU6IE5vIGZpeCBsaW1pdCBpbiBH
TlUuLi4gKi8NCi1zdGF0aWMgY2hhciBvdXRwdXRfYmFzZV9uYW1lWzUwXTsN
CitzdGF0aWMgY2hhciBvdXRwdXRfYmFzZV9uYW1lWzUxMl07DQogDQogLyog
QWN0dWFsIG91dHB1dCBmaWxlbmFtZS4gIEZJWE1FOiBObyBmaXggbGltaXQg
aW4gR05VLi4uICovDQotc3RhdGljIGNoYXIgb3V0cHV0X2ZpbGVuYW1lWzUw
XTsNCitzdGF0aWMgY2hhciBvdXRwdXRfZmlsZW5hbWVbNTEyXTsNCiANCiBz
dGF0aWMgY2hhciAqc3VibWl0dGVyX2FkZHJlc3MgPSBOVUxMOw0KIA0KQEAg
LTE5MDUsOSArMTkwNSwyOSBAQA0KIAlicmVhazsNCiANCiAgICAgICBjYXNl
ICdvJzoNCi0Jc3RyY3B5IChvdXRwdXRfYmFzZV9uYW1lLCBvcHRhcmcpOw0K
LQlpZiAoIXN0cmNociAob3V0cHV0X2Jhc2VfbmFtZSwgJyUnKSkNCi0JICBz
dHJjYXQgKG91dHB1dF9iYXNlX25hbWUsICIuJTAyZCIpOw0KKwkvKg0KKwkg
KiBOb3RlOiB0aGUgbWFnaWMgJzYnIGJlbG93IGlzIGV4YWN0bHkgc2l6ZW9m
KCIuJTAyZCIpLg0KKwkgKiBEb24ndCBmb3JnZXQgdG8gaW5jcmVhc2Ugc2l6
ZSBvZiBvdXRwdXRfZmlsZW5hbWVbXSBhcHByb3ByaWF0ZWx5DQorCSAqIHdo
ZW4geW91IGluY3JlYXNlIGZpZWxkIHdpZHRoIGZyb20gMiB1cCB0byBzb21l
dGhpbmcgZ3JlYXRlciB0aGFuIDQuDQorCSAqLw0KKwl7DQorCQlyZWdpc3Rl
ciBpbnQgaSA9IDA7DQorCQlyZWdpc3RlciBjaGFyICpzdHIgPSBvcHRhcmc7
DQorDQorCQl3aGlsZSAoaSA8IHNpemVvZihvdXRwdXRfYmFzZV9uYW1lKSAt
IDYpIHsNCisJCQlyZWdpc3RlciBjaGFyIGM7DQorDQorCQkJb3V0cHV0X2Jh
c2VfbmFtZVtpKytdID0gKGMgPSAqc3RyKyspOw0KKwkJCWlmIChjID09ICcl
JykNCisJCQkJaWYgKGkgPCBzaXplb2Yob3V0cHV0X2Jhc2VfbmFtZSkgLSA2
KQ0KKwkJCQkJb3V0cHV0X2Jhc2VfbmFtZVtpKytdID0gYzsNCisJCQkJZWxz
ZSB7DQorCQkJCQlpLS07DQorCQkJCQlicmVhazsNCisJCQkJfQ0KKwkJfQ0K
KwkJc3RyY3B5IChvdXRwdXRfYmFzZV9uYW1lICsgaSwgIi4lMDJkIik7DQor
CX0NCiAJcGFydF9udW1iZXIgPSAwOw0KIAlvcGVuX291dHB1dCAoKTsNCiAJ
YnJlYWs7DQo=
---263133340-1810121764-1081628088=:6425--
