Bugtraq mailing list archives
Re: GNU Sharutils buffer overflow vulnerability.
From: Dan Yefimov <dan () D00M integrate com ru>
Date: Sun, 11 Apr 2004 00:14:48 +0400 (MSD)
On Tue, 6 Apr 2004, [iso-8859-1] Shaun Colley wrote:
I have written a simple patch below to fix the buffer
overflow bug:
--- shar-bof.patch ---
--- shar.1.c 2004-04-06 16:26:55.000000000 +0100
+++ shar.c 2004-04-06 16:32:32.000000000 +0100
@@ -1905,7 +1905,7 @@
break;
case 'o':
- strcpy (output_base_name, optarg);
+ strncpy (output_base_name, optarg,
sizeof(output_base_name));
if (!strchr (output_base_name, '%'))
strcat (output_base_name, ".%02d");
part_number = 0;
--- EOF ---
Your patch isn't quite correct since you at least forgot about
strcat(output_base_name, ".%02d") following patched code. You didn't also
notice subsequent using output_base_name as a format string which may produce
overflow of output_filename[] because of unnoticed percent symbols passed in.
Attached a patch accounting for that.
--
Sincerely Your, Dan.
Attachment:
sharutils-4.2.1-bof.patch
Description:
Current thread:
- GNU Sharutils buffer overflow vulnerability. Shaun Colley (Apr 06)
- Re: GNU Sharutils buffer overflow vulnerability. Didier Arenzana (Apr 07)
- Re: GNU Sharutils buffer overflow vulnerability. Carlos Eduardo Pinheiro (Apr 07)
- Re: GNU Sharutils buffer overflow vulnerability. Dan Yefimov (Apr 10)
- Re: GNU Sharutils buffer overflow vulnerability. Didier Arenzana (Apr 07)