[16219] in bugtraq
Remote vulnerability in Gopherd 2.x patch redux
daemon@ATHENA.MIT.EDU (Mike Schiffman)
Mon Aug 14 13:35:06 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <NEBBIMCMELMGHFGLLFEIGECLCCAA.michael.schiffman@guardent.com>
Date: Sat, 12 Aug 2000 15:38:26 -0700
Reply-To: michael.schiffman@guardent.com
From: Mike Schiffman <michael.schiffman@GUARDENT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
The workaround patch included in advisory A0208102000 is flawed. Unfortunately
this was not noticed until just after the advisory was posted. The original
patch made use of strncpy (which is not guaranteed to NUL terminate the
resulting string) and it also passed in a signed length to strncat (which takes
an unsigned length parameter). Due to these two flaws, the opportunity for
overflowing the destination buffer still existed. The following replacement
patch fixes these two issues (as well as the original buffer flow). We
apologize for any inconvenience this mistake may have caused, and would like to
thank all those who noticed these flaws and gave us feedback.
2.3 patch:
diff -ru gopher2_3.old/gopherd/authenticate.c gopher2_3/gopherd/authenticate.c
--- gopher2_3.old/gopherd/authenticate.c Sat Aug 12 16:34:47 2000
+++ gopher2_3/gopherd/authenticate.c Sat Aug 12 16:51:51 2000
@@ -494,11 +494,12 @@
char keystr[256];
char *cp;
Desnum c;
- int i;
+ int i, keysize;
- strcpy(keystr, user);
- strcat(keystr, ip);
- strcat(keystr, key);
+ keysize = sizeof(keystr)-1, memset(keystr, 0, keysize+1);
+ strncat(keystr, user, keysize), i = keysize - strlen(keystr);
+ strncat(keystr, ip, i), i = keysize - strlen(keystr);
+ strncat(keystr, key, i);
Debug("Encoding key %s\n", keystr);
2.3.1 patch:
diff -ru gopher2_3.1.old/gopherd/authenticate.c
gopher2_3.1/gopherd/authenticate.c
--- gopher2_3.1.old/gopherd/authenticate.c Sat Aug 12 16:34:57 2000
+++ gopher2_3.1/gopherd/authenticate.c Sat Aug 12 16:51:40 2000
@@ -496,13 +496,10 @@
Desnum c;
int i, keysize;
-/* strcpy(keystr, user);
- strcat(keystr, ip);
- strcat(keystr, key); */
- i = keysize = sizeof(keystr)-1;
- strncpy(keystr, user, i), i -= strlen(keystr);
- strncat(keystr, ip, i), i -= strlen(keystr);
- strncat(keystr, key, i), keystr[keysize] = '\0';
+ keysize = sizeof(keystr)-1, memset(keystr, 0, keysize+1);
+ strncat(keystr, user, keysize), i = keysize - strlen(keystr);
+ strncat(keystr, ip, i), i = keysize - strlen(keystr);
+ strncat(keystr, key, i);
Debug("Encoding key %s\n", keystr);
--
Mike D. Schiffman
Director of Research and Development
Guardent, Inc.
http://www.guardent.com
