[3143] in Kerberos-V5-bugs
krb5-libs/780: user-creatable buffer overflow in ksu !!!!!
daemon@ATHENA.MIT.EDU (crawdad@fnal.gov)
Wed Oct 27 19:05:09 1999
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, crawdad@fnal.gov
Message-Id: <199910272303.SAA27618@gungnir.fnal.gov>
Date: Wed, 27 Oct 1999 18:03:39 -0500 (CDT)
From: crawdad@fnal.gov
Reply-To: crawdad@fnal.gov
To: krb5-bugs@MIT.EDU
Cc: crawdad@fnal.gov, kenh@cmf.nrl.navy.mil
>Number: 780
>Category: krb5-libs
>Synopsis: krb5_string_to_deltat() bugs
>Confidential: yes
>Severity: critical
>Priority: high
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Oct 27 19:05:01 EDT 1999
>Last-Modified:
>Originator: Matt Crawford
>Organization:
Fermilab
>Release: krb5-1.0.6 and krb5-1.1
>Environment:
System: SunOS gungnir.fnal.gov 5.5.1 Generic_103640-24 sun4u sparc SUNW,Ultra-1
Architecture: sun4
>Description:
krb5_string_to_deltat use sscanf strings like "%d%[d]" to scan into
integers. "%[d]" matches any number of d's. Do the math.
>How-To-Repeat:
% ksu -r 3dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
Segmentation Fault
Discovery of a useful-length string of only d's, h's, m's or s's is
left to the reader, but can you be sure there isn't one? Two weeks
from now, what might the bugtraq community come up with?
>Fix:
The following patch fixes the above and also a an error in parsing the
"%dh%dm" and "%d:%02d" formats. Those were being interpretted as
minutes and seconds rather than hours and minutes. These line numbers
are relative to 1.0.6, but exactly the same bugs are in 1.1.
Index: lib/krb5/krb/str_conv.c
===================================================================
RCS file: /cvs/cd/kerberos/src/lib/krb5/krb/str_conv.c,v
retrieving revision 1.2
diff -u -r1.2 str_conv.c
--- str_conv.c 1999/06/18 20:39:27 1.2
+++ str_conv.c 1999/10/27 22:49:15
@@ -170,10 +170,10 @@
static const char dtscan_hms_stext[] = "%dh%dm%ds";
static const char dtscan_hm_notext[] = "%d:%02d";
static const char dtscan_hm_stext[] = "%dh%dm";
-static const char dtscan_days[] = "%d%[d]";
-static const char dtscan_hours[] = "%d%[h]";
-static const char dtscan_minutes[] = "%d%[m]";
-static const char dtscan_seconds[] = "%d%[s]";
+static const char dtscan_days[] = "%d%1[d]";
+static const char dtscan_hours[] = "%d%1[h]";
+static const char dtscan_minutes[] = "%d%1[m]";
+static const char dtscan_seconds[] = "%d%1[s]";
static const char dt_day_singular[] = "day";
static const char dt_day_plural[] = "days";
static const char dt_output_donly[] = "%d %s";
@@ -262,8 +262,8 @@
{ dtscan_dhms_stext, 4, 0, 1, 2, 3 },
{ dtscan_hms_notext, 3, -1, 0, 1, 2 },
{ dtscan_hms_stext, 3, -1, 0, 1, 2 },
-{ dtscan_hm_notext, 2, -1, -1, 0, 1 },
-{ dtscan_hm_stext, 2, -1, -1, 0, 1 },
+{ dtscan_hm_notext, 2, -1, 0, 1, -1 },
+{ dtscan_hm_stext, 2, -1, 0, 1, -1 },
{ dtscan_days, 2, 0, -1, -1, -1 },
{ dtscan_hours, 2, -1, 0, -1, -1 },
{ dtscan_minutes, 2, -1, -1, 0, -1 },
>Audit-Trail:
>Unformatted:
