TUCoPS :: Unix :: General :: unix5385.htm

cvsd local overflow
31th May 2002 [SBWID-5385]
COMMAND

	cvsd local overflow

SYSTEMS AFFECTED

	 version 1.11

	 corrected in 1.11.2

PROBLEM

	david evlis reign from der sys posted following bug regarding CVSd:
	

	the family of scanf functions  (scanf,  sscanf,  fscanf)  are  generally
	insecure in usage and steps have been taken to make  them  more...secure
	you might say like adding bounds checking (sscanf(hey,  \"%.4096s  %d\",
	buffer, int)) but the  function  still  remains  quite  insecure,  to  a
	lesser known bug like an off by one.
	

	

	WRONG:

	char buf[10];

	int i;

	sscanf(hey, \"%.10s\", buf); <-- boundary checks ten bytes...

	

	RIGHT:

	char buf[10];

	int i;

	sscanf(hey, \"%.9s\" buf); <-- see!

	

	

	therefore in the first example (WRONG)  the  last  byte  into  buf  will
	exeed  the  allocated   space   (10   bytes)   by   one   byte.   woops.
	(http://www.hert.org/papers/klog-1.html <-- nice article)
	

	details:
	

	in cvs-1.11/src/rcs.c:
	

	info = findnode (vers->other_delta, \"special\");

		if (info != NULL)

		{

		    /* If the size of `devtype\' changes, fix the sscanf call also */

		    char devtype[16]; <-- SIXTEEN BYTES

	

		    if (sscanf (info->data, \"%16s %lu\", <-- WOOPS SHOULD BE 15

				devtype, &devnum_long) < 2)

			error (1, 0, \"%s:%s has bad `special\' newphrase %s\",

			       workfile, vers->version, info->data);

		    devnum = devnum_long;

		    if (STREQ (devtype, \"character\"))

			special_file = S_IFCHR;

		    else if (STREQ (devtype, \"block\"))

			special_file = S_IFBLK;

		    else

			error (0, 0, \"%s is a special file of unsupported type `%s\'\",

			       workfile, info->data);

		}

	    }

	

	

	this is only a locally exploitable hole since  the  data  is  read  from
	info->data which in turn is from a symlinked local file (heh,  you  know
	where to find it);

SOLUTION

	Upgrade  to  1.11.2,  or  apply  following  patch  written  by  der  sys
	(corrected by Larry Jones):
	

	

	--- rcs_old.c	Mon Jan 25 02:05:16 2002

	+++ rcs.c	Mon Jan 25 02:05:40 2002

	

	--- 4238:       if (sscanf (info->data, \"%16s %lu\",

	+++ 4238:       if (sscanf (info->data, \"%15s %lu\",

			devtype, &devnum_long) < 2)

			error (1, 0, \"%s:%s has bad `special\' newphrase %s\",

			workfile, vers->version, info->data);

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH