Vulnerability

    bdf & df

Affected

    HpUX 11.00

Description

    Following is based on Hackerslab bug_paper sent by Kyong-won  Cho.
    bdf reports number of free  disk blocks (Berkeley version).   With
    -t type reports on the file systems of a given type (for  example,
    nfs or hfs).

    * 'bdf' program has SUID permission.

        $ ls -la `which bdf`
        -r-sr-xr-x   1 root       bin          24576 Apr  7  1998 /usr/bin/bdf

    * Using '-t' option with long character

        $ bdf -t `perl -e 'print "A"x2415'`
        bdf: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAA..omited...AAAAAAAAAAAAAAAA : No such file or directory
        usage: bdf [ -b ] [ -i ] [ -l ] [-t type | file... ]
        $ bdf -t `perl -e 'print "A"x2416'`
        Memory fault
        $

        <bash environment>
        bash-2.04$ bdf -b -t `perl -e 'print "A"x2416'`
        Segmentation fault
        bash-2.04$

        ***

    If  bigger  than  2415  characters,  'bdf'  has  Segment  faulted.
    Maybe.. 'bdf' has not checked string boundary.

Solution

    Apply appropriate patches for BOTH commands as listed below:

      bdf(1m): HP-UX release 11.00:           PHCO_22274,
               HP-UX release 11.04 VVOS:      PHCO_22326,
               HP-UX release 10.20:           PHCO_22273,
               HP-UX release 10.24 VVOS:      PHCO_22324,
               HP-UX release 10.26 CMW:       PHCO_20871,
               HP-UX release 10.10:           PHCO_22502,
               HP-UX release 10.01:           PHCO_22501.

       df(1m): HP-UX release 11.00:           PHCO_22276,
               HP-UX release 11.04 VVOS:      PHCO_22327,
               HP-UX release 10.20:           PHCO_22275,
               HP-UX release 10.24 VVOS:      PHCO_22325,
               HP-UX release 10.26 CMW:       PHCO_20960,
               HP-UX release 10.10:           PHCO_22504,
               HP-UX release 10.01:           PHCO_22503.