Re: buffer overflow in libsecure (NSA Security-enhanced Linux)

[Matt Power <mhpower () BOS BINDVIEW COM>]

In http://www.securityfocus.com/archive/1/153355, Perry Harrington
<perry () webcom com> wrote:

> From your message, it would appear that the file parser is at fault, not
> truncating the newline in the value.  If the newline is removed, like most
> config file parsers, then the allocation logic is correct.

Actually, in the code from slinux-200012181053-release.tgz, the
allocation logic is still incorrect even if the newline character is
removed from the end of each line that's read from the
/etc/security/default_type file. If the newline is removed, the number
of characters to copy is reduced by one, but the buffer size is also
reduced by one. For example, if the buf field were "sysadm_r:sysadm_t"
rather than "sysadm_r:sysadm_t\n", then strlen(buf)-i-len-1 is
17 - 0 - 8 - 1, which is 8; and the strcpy would attempt to copy the 9
characters "sysadm_t\0" into the 8-character buffer.

In any case, the NSA has announced a new release that fixes this
buffer-overflow problem. There's a copy of the NSA's announcement at

  http://marc.theaimsgroup.com/?l=selinux&m=97847509307650&w=2

Matt Power
BindView Corporation, RAZOR Team
mhpower () bos bindview com