Re: bin/2983: Security bug (buffer overflow) in

[eivind () FREEBSD ORG (Eivind Eklund)]

At 02:56 PM 3/16/97 -0600, Tero Kivinen wrote:
> The termcap libraries tgoto function has buffer overflow bug that can
> be used to overwrite data in BSS segment.
>
> The tgoto have function have static char result[MAXRETURNSIZE] (64
> characters) buffer that is used to return cursor addressing string
> from tgoto function. If the CM-cabability have more than 64 characters
> in it the tgoto function will overwrite something in the bss segment
> after result-variable. There are no checks about the length of cm
> string nor checks if the resulting string is longer than MAXRETURNSIZE
> characters.

This is now fixed in FreeBSD - RELENG_2_1_0, RELENG_2_2, and HEAD.
Anybody on CVSup or CTM should get the changes later today.

Sorry for the delay.

If somebody want just the diffs, they can be fetched directly from the
FreeBSD CVS tree:
http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libtermcap/tgoto.c?r1=1.4&r2=1.5

Eivind Eklund perhaps () yes no http://maybe.yes.no/perhaps/ eivind () freebsd org