Bug 11881

Summary: Patches to strengthen security
Product: [Retired] Red Hat Linux Reporter: SB <satan>
Component: tcp_wrappersAssignee: Preston Brown <pbrown>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2Keywords: FutureFeature
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-06-03 03:56:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description SB 2000-06-03 03:56:00 UTC 
tcpd's argv[0] needed some bounds checking, so for piece of mind
I made the following changes (in typical diff -u format):
------------------------------------------------------------------------
--- tcpd.c.orig Sun Feb 11 11:01:33 1996
+++ tcpd.c      Wed May 31 00:21:01 2000
@@ -60,10 +60,10 @@
      */
 
     if (argv[0][0] == '/') {
-       strcpy(path, argv[0]);
+       strncpy(path, argv[0], sizeof(path));
        argv[0] = strrchr(argv[0], '/') + 1;
     } else {
-       sprintf(path, "%s/%s", REAL_DAEMON_DIR, argv[0]);
+       snprintf(path, sizeof(path), "%s/%s", REAL_DAEMON_DIR, argv[0]);
     }
 
     /*
------------------------------------------------------------------------

The following parts of eval.c which is part of libwrap.a didn't
look "safe" enough for me because both's size is 256 and hostinfo
and request->user can both be size 128 and 128 + 128 = 256 then
when you add the '@' char you get string of 257 being shoved into
string of size 256.  Ditto for host and daemon in the second part
of the patch.
------------------------------------------------------------------------
--- eval.c.orig Mon Jan 30 13:51:46 1995
+++ eval.c      Wed May 31 00:43:16 2000
@@ -111,7 +111,7 @@
        return (hostinfo);
 #endif
     if (STR_NE(eval_user(request), unknown)) {
-       sprintf(both, "%s@%s", request->user, hostinfo);
+       snprintf(both, sizeof(both),"%s@%s", request->user, hostinfo);
        return (both);
     } else {
        return (hostinfo);
@@ -128,7 +128,7 @@
     char   *daemon = eval_daemon(request);
 
     if (STR_NE(host, unknown)) {
-       sprintf(both, "%s@%s", daemon, host);
+       snprintf(both, sizeof(both), "%s@%s", daemon, host);
        return (both);
     } else {
        return (daemon);
------------------------------------------------------------------------

Dunno if these patches fix anything potentially harmful, I just made
because to me it looked like there was some potential problems.  The
argv[0] in tcpd is a problem that the first patch fixes, though I
don't see any potential threat from it, I figured better safe now than
sorry later.

-Stan Bubrouski
Comment 1 Jeff Johnson 2000-07-27 19:45:57 UTC 
Fixed in tcp_wrappers-7.6-14. Thanks for noticing (and sending a patch).