Re: Patches for 2.1.6-RELEASE locale stuff...

[wpilorz () CELEBRIS BDK LUBLIN PL (Wojtek Pilorz)]

Hi,

I believe that your patches have still some security problems,
as you ignore return value from snprintf.
Please find a few lines from FreeBSD snprintf man page:
     int
     snprintf(char *str, size_t size, const char *format, ...)
[...]
     Snprintf() and vsnprintf() will write at most size-1 of the
     characters printed into the output string (the size'th character then
     gets the terminating `\0'); if the return value is greater than or equal
     to the size argument, the string was too short and some of the printed
     characters were discarded.  Sprintf() and vsprintf() effectively assume
     an infinite size.

The effect might be that the attacker could prepare a long path
in PATH_LOCALE before executing a SUID program which would
cause arbitrary file on the system to be read
(e.g. export PATH_LOCALE="/home/evil/111111111/222222222/33333333\
/XXXXXX/../../../../../home/manager/.ssh/identity", where XXXXXX is similar to the
surrounding elements)
by the startup code;
If then the attacker would be able to create a core dump ...


Anyway , you might want to look at FreeBSD-current code, where
this problem seems to be solved (in a slightly different way.

Regards,

Wojtek Pilorz
Wojtek.Pilorz () bdk lublin pl

-----------------------------------------------------------------------

On Tue, 4 Feb 1997 tenser () SPITFIRE ECSEL PSU EDU wrote:

> Date: Tue, 4 Feb 1997 04:06:01 -0000
> From: tenser () SPITFIRE ECSEL PSU EDU
> To: BUGTRAQ () NETSPACE ORG
> Subject: Patches for 2.1.6-RELEASE locale stuff...
>
> I took another look at the locale code for 2.1.6-RELEASE (availible in
> /usr/src/lib/libc/locale), and tried to go though everything and look
> for buffer overrun type stuff.  Here is a set of patches for the four
> files I modified.  I don't guarantee that this takes care of all possible
> locale security problems, but it's a start for the folks who are going
> to presumably issue an advisory and official patch at some point in the
> future.  These patched source files at least compile on my 386 running
> 2.1.6.  Any errors I might have made, I attribute to lack of sleep over
> the last few days.  :-)
>
> (Note, just to clarify: My first patch should have thwarted the startup
> locale processing bug.  These patches are for other buffer overrun problems
> in the locale stuff in the C library.  That first patch is also included
> here for convenience.)
>
>         - Dan C.
>
> ----- Begin 2.1.6-locale.diff
> *** collate.c   1997/02/04 02:49:05     1.1
> --- collate.c   1997/02/04 02:54:58
> ***************
> *** 66,75 ****
>                 return -1;
>         if (!path_locale && !(path_locale = getenv("PATH_LOCALE")))
>                 path_locale = _PATH_LOCALE;
> !       strcpy(buf, path_locale);
> !       strcat(buf, "/");
> !       strcat(buf, encoding);
> !       strcat(buf, "/LC_COLLATE");
>         if ((fp = fopen(buf, "r")) == NULL)
>                 return -1;
>         FREAD(__collate_charmap_table, sizeof(__collate_charmap_table), 1, fp);
> --- 66,73 ----
>                 return -1;
>         if (!path_locale && !(path_locale = getenv("PATH_LOCALE")))
>                 path_locale = _PATH_LOCALE;
> !       (void)snprintf(buf,
> !               PATH_MAX, "%s/%s/LC_COLLATE", path_locale, encoding);
>         if ((fp = fopen(buf, "r")) == NULL)
>                 return -1;
>         FREAD(__collate_charmap_table, sizeof(__collate_charmap_table), 1, fp);
[patches to other files have been removed ...]