[4467] in bugtraq
Re: ELM overflow
daemon@ATHENA.MIT.EDU (security@HOME.BTI.PL)
Wed May 14 13:44:43 1997
Date: Wed, 14 May 1997 15:10:46 +0200
Reply-To: security@home.bti.pl
From: security@HOME.BTI.PL
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199705131918.VAA03125@ajax.umcs.lublin.pl>
On Tue, 13 May 1997, Wojciech Swieboda wrote:
> Hello,
> I've lately found an overflow vulnerability in Elm (Elm is setgid
> mail on linux, and perhaps on some other platforms aswell). I've tested this
> bug on versions 2.3 and 2.4, on 3 different Linux installations.
> from Elm 2.3's curses.c:
> [...]
> char termname[40];
> char *strcpy(), *getenv();
>
> if (getenv("TERM") == NULL) return(-1);
>
> if (strcpy(termname, getenv("TERM")) == NULL)
> return(-1);
> [...]
> to patch, change the strcpy line to
> if (strncpy(termname, getenv("TERM"), sizeof(termname)) == NULL)
>
To patch it on Elm 2.4, change:
[...]
if (strcpy(termname, termenv) == NULL)
return (-1);
to:
[...]
if (strncpy(termname, termenv, sizeof(termname)) == NULL)
return (-1);
-Grych
