Bugtraq mailing list archives
Re: GNU Sharutils buffer overflow vulnerability.
From: Dan Yefimov <dan () D00M integrate com ru>
Date: Sun, 11 Apr 2004 00:14:48 +0400 (MSD)
On Tue, 6 Apr 2004, [iso-8859-1] Shaun Colley wrote:
I have written a simple patch below to fix the buffer overflow bug: --- shar-bof.patch --- --- shar.1.c 2004-04-06 16:26:55.000000000 +0100 +++ shar.c 2004-04-06 16:32:32.000000000 +0100 @@ -1905,7 +1905,7 @@ break; case 'o': - strcpy (output_base_name, optarg); + strncpy (output_base_name, optarg, sizeof(output_base_name)); if (!strchr (output_base_name, '%')) strcat (output_base_name, ".%02d"); part_number = 0; --- EOF ---
Your patch isn't quite correct since you at least forgot about strcat(output_base_name, ".%02d") following patched code. You didn't also notice subsequent using output_base_name as a format string which may produce overflow of output_filename[] because of unnoticed percent symbols passed in. Attached a patch accounting for that. -- Sincerely Your, Dan.
Attachment:
sharutils-4.2.1-bof.patch
Description:
Current thread:
- GNU Sharutils buffer overflow vulnerability. Shaun Colley (Apr 06)
- Re: GNU Sharutils buffer overflow vulnerability. Didier Arenzana (Apr 07)
- Re: GNU Sharutils buffer overflow vulnerability. Carlos Eduardo Pinheiro (Apr 07)
- Re: GNU Sharutils buffer overflow vulnerability. Dan Yefimov (Apr 10)
- Re: GNU Sharutils buffer overflow vulnerability. Didier Arenzana (Apr 07)