Bugtraq mailing list archives

Re: ELM overflow

From: Michel.Gaudet () EHESS FR (Michel GAUDET)
Date: Fri, 16 May 1997 13:31:05 +0200


On Wed, 14 May 1997 security () home bti pl wrote:

On Tue, 13 May 1997, Wojciech Swieboda wrote:

Hello,
        I've lately found an overflow vulnerability in Elm (Elm is setgid
mail on linux, and perhaps on some other platforms aswell). I've tested this
bug on versions 2.3 and 2.4, on 3 different Linux installations.
from Elm 2.3's curses.c:
[...]
        char termname[40];
        char *strcpy(), *getenv();

        if (getenv("TERM") == NULL) return(-1);

        if (strcpy(termname, getenv("TERM")) == NULL)
                return(-1);
[...]
to patch, change the strcpy line to
        if (strncpy(termname, getenv("TERM"), sizeof(termname)) == NULL)

To patch it on Elm 2.4, change:

[...]
        if (strcpy(termname, termenv) == NULL)
                return (-1);

to:
[...]
        if (strncpy(termname, termenv, sizeof(termname)) == NULL)
                return (-1);


 -Grych


You must terminate the string with \0 because strncpy don't : the strncpy
copy at maximum n characters regardless, if length S2 >= n, of the
termination of the strings.

Then I think the exact change should be :

         char termname[40];
         char *strncpy(), *getenv();
....
         termname[39] = '\0' ;
         if (strncpy(termname, termenv, sizeof(termname) - 1) == NULL)
                 return (-1);

        Regards.

--------------------------------------------------------------------------
| Michel GAUDET                                                          |
| Ecole des Hautes Etudes en Sciences Sociales.                          |
| 54 Boulevard RASPAIL 75006 PARIS (France)                              |
| FAX:(33) 01 49 54 26 85 Email: Michel.Gaudet () ehess fr                  |
| Tel:(33) 01 49 54 25 91                                                |
--------------------------------------------------------------------------

Current thread:

Re: Linux UID/GID 'Feature', (continued)
- Re: Linux UID/GID 'Feature' Jim Trocki (May 11)
- Re: Linux UID/GID 'Feature' Jon Lewis (May 11)
  - more DoS fun Ghent (May 11)
  - Re: Linux UID/GID 'Feature' Andrew G. Morgan (May 11)
  - sendmail 8.8.6 Beta release available Jason R Mastaler (May 11)
  - New Win95 OOB fix allows Netbios to be used Aaron Weintraub (May 12)
    - UPDATE TO OOB FIX Aaron Weintraub (May 12)
    - Re: New Win95 OOB fix allows Netbios to be used Ian MacPhedran (May 13)
    - UPDATE TO OOB FIX Wojciech Swieboda (May 13)
    - Re: ELM overflow security () home bti pl (May 14)
    - Re: ELM overflow Michel GAUDET (May 16)
    - potential root exploit with help from sam (HP-UX 10.x) David Hyams (May 14)
    - Re: potential root exploit with help from sam (HP-UX 10.x) Trevor Schroeder (May 14)
    - Sun Security Bulletin #00140 Sun Security Coordination Team (May 14)
    - Non-executable stack -- final Linux kernel patch Solar Designer (May 14)
    - NT4.0 SP3 Still vulnerable Aaron Spangler (May 15)
    - MicroSolved finds hole in Ascom Timeplex Router Security Brent Huston (May 15)
  - WinNT 4.0 OOB Hoxfix Aleph One (May 12)
- Re: Linux UID/GID 'Feature' Philippe Regnauld (May 13)