Bugtraq mailing list archives
Re: ELM overflow
From: Michel.Gaudet () EHESS FR (Michel GAUDET)
Date: Fri, 16 May 1997 13:31:05 +0200
On Wed, 14 May 1997 security () home bti pl wrote:
On Tue, 13 May 1997, Wojciech Swieboda wrote:Hello, I've lately found an overflow vulnerability in Elm (Elm is setgid mail on linux, and perhaps on some other platforms aswell). I've tested this bug on versions 2.3 and 2.4, on 3 different Linux installations. from Elm 2.3's curses.c: [...] char termname[40]; char *strcpy(), *getenv(); if (getenv("TERM") == NULL) return(-1); if (strcpy(termname, getenv("TERM")) == NULL) return(-1); [...] to patch, change the strcpy line to if (strncpy(termname, getenv("TERM"), sizeof(termname)) == NULL)To patch it on Elm 2.4, change: [...] if (strcpy(termname, termenv) == NULL) return (-1); to: [...] if (strncpy(termname, termenv, sizeof(termname)) == NULL) return (-1); -Grych
You must terminate the string with \0 because strncpy don't : the strncpy copy at maximum n characters regardless, if length S2 >= n, of the termination of the strings. Then I think the exact change should be : char termname[40]; char *strncpy(), *getenv(); .... termname[39] = '\0' ; if (strncpy(termname, termenv, sizeof(termname) - 1) == NULL) return (-1); Regards. -------------------------------------------------------------------------- | Michel GAUDET | | Ecole des Hautes Etudes en Sciences Sociales. | | 54 Boulevard RASPAIL 75006 PARIS (France) | | FAX:(33) 01 49 54 26 85 Email: Michel.Gaudet () ehess fr | | Tel:(33) 01 49 54 25 91 | --------------------------------------------------------------------------
Current thread:
- Re: Linux UID/GID 'Feature', (continued)
- Re: Linux UID/GID 'Feature' Jim Trocki (May 11)
- Re: Linux UID/GID 'Feature' Jon Lewis (May 11)
- more DoS fun Ghent (May 11)
- Re: Linux UID/GID 'Feature' Andrew G. Morgan (May 11)
- sendmail 8.8.6 Beta release available Jason R Mastaler (May 11)
- New Win95 OOB fix allows Netbios to be used Aaron Weintraub (May 12)
- UPDATE TO OOB FIX Aaron Weintraub (May 12)
- Re: New Win95 OOB fix allows Netbios to be used Ian MacPhedran (May 13)
- UPDATE TO OOB FIX Wojciech Swieboda (May 13)
- Re: ELM overflow security () home bti pl (May 14)
- Re: ELM overflow Michel GAUDET (May 16)
- potential root exploit with help from sam (HP-UX 10.x) David Hyams (May 14)
- Re: potential root exploit with help from sam (HP-UX 10.x) Trevor Schroeder (May 14)
- Sun Security Bulletin #00140 Sun Security Coordination Team (May 14)
- Non-executable stack -- final Linux kernel patch Solar Designer (May 14)
- NT4.0 SP3 Still vulnerable Aaron Spangler (May 15)
- MicroSolved finds hole in Ascom Timeplex Router Security Brent Huston (May 15)