[4181] in bugtraq
Re: bin/2983: Security bug (buffer overflow) in
daemon@ATHENA.MIT.EDU (Eivind Eklund)
Mon Mar 17 13:24:19 1997
Date: Mon, 17 Mar 1997 12:10:41 +0100
Reply-To: Eivind Eklund <eivind@FREEBSD.ORG>
From: Eivind Eklund <eivind@FREEBSD.ORG>
X-To: Tero Kivinen <kivinen@ssh.fi>
To: BUGTRAQ@NETSPACE.ORG
At 02:56 PM 3/16/97 -0600, Tero Kivinen wrote:
>The termcap libraries tgoto function has buffer overflow bug that can
>be used to overwrite data in BSS segment.
>
>The tgoto have function have static char result[MAXRETURNSIZE] (64
>characters) buffer that is used to return cursor addressing string
>from tgoto function. If the CM-cabability have more than 64 characters
>in it the tgoto function will overwrite something in the bss segment
>after result-variable. There are no checks about the length of cm
>string nor checks if the resulting string is longer than MAXRETURNSIZE
>characters.
This is now fixed in FreeBSD - RELENG_2_1_0, RELENG_2_2, and HEAD.
Anybody on CVSup or CTM should get the changes later today.
Sorry for the delay.
If somebody want just the diffs, they can be fetched directly from the
FreeBSD CVS tree:
http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libtermcap/tgoto.c?r1=1.4&r2=1.5
Eivind Eklund perhaps@yes.no http://maybe.yes.no/perhaps/ eivind@freebsd.org
