[2903] in Kerberos-V5-bugs
pending/571: Buffer overun in Version 1.0.5 appl/bsd/login.c
daemon@ATHENA.MIT.EDU (Booker Bense)
Mon Mar 23 15:53:11 1998
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: gnats-admin@rt-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU,
Booker Bense <bbense@networking.stanford.edu>
Date: Mon, 23 Mar 1998 12:52:15 -0800 (PST)
From: Booker Bense <bbense@networking.stanford.edu>
To: krb5-bugs@MIT.EDU
>Number: 571
>Category: pending
>Synopsis: Buffer overun in Version 1.0.5 appl/bsd/login.c
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Mar 23 15:53:00 EST 1998
>Last-Modified:
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
- Forgive me if I'm being overly paranoid, but
I was poking around in login.c and found these
potential buffer overruns. Exploiting them
might be difficult, but they are there.
- Booker c. Bense
*** login.c Mon Mar 23 12:44:09 1998
--- login.c~ Fri Feb 6 19:41:18 1998
***************
*** 487,493 ****
unlink(ccfile+strlen("FILE:"));
} else {
/* note it correctly */
! strncpy(ccfile, getenv(KRB5_ENV_CCNAME),sizeof(ccfile));
}
#ifdef KRB4_GET_TICKETS
--- 487,493 ----
unlink(ccfile+strlen("FILE:"));
} else {
/* note it correctly */
! strcpy(ccfile, getenv(KRB5_ENV_CCNAME));
}
#ifdef KRB4_GET_TICKETS
***************
*** 617,623 ****
} else {
/* get_name pulls out just the name not the
type */
! strncpy(ccfile, krb5_cc_get_name(kcontext, ccache),sizeof(ccfile));
krbflag = got_v5_tickets = 1;
return 1;
}
--- 617,623 ----
} else {
/* get_name pulls out just the name not the
type */
! strcpy(ccfile, krb5_cc_get_name(kcontext, ccache));
krbflag = got_v5_tickets = 1;
return 1;
}
***************
*** 708,714 ****
return 0;
}
got_v4_tickets = 1;
! strncpy(tkfile, tkt_string(),sizeof(tkfile));
return 1;
}
#endif
--- 708,714 ----
return 0;
}
got_v4_tickets = 1;
! strcpy(tkfile, tkt_string());
return 1;
}
#endif
