Bug 11881 - Patches to strengthen security
Patches to strengthen security
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: tcp_wrappers (Show other bugs)
6.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Preston Brown
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-06-02 23:56 EDT by SB
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-06-02 23:56:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description SB 2000-06-02 23:56:00 EDT
tcpd's argv[0] needed some bounds checking, so for piece of mind
I made the following changes (in typical diff -u format):
------------------------------------------------------------------------
--- tcpd.c.orig Sun Feb 11 11:01:33 1996
+++ tcpd.c      Wed May 31 00:21:01 2000
@@ -60,10 +60,10 @@
      */
 
     if (argv[0][0] == '/') {
-       strcpy(path, argv[0]);
+       strncpy(path, argv[0], sizeof(path));
        argv[0] = strrchr(argv[0], '/') + 1;
     } else {
-       sprintf(path, "%s/%s", REAL_DAEMON_DIR, argv[0]);
+       snprintf(path, sizeof(path), "%s/%s", REAL_DAEMON_DIR, argv[0]);
     }
 
     /*
------------------------------------------------------------------------

The following parts of eval.c which is part of libwrap.a didn't
look "safe" enough for me because both's size is 256 and hostinfo
and request->user can both be size 128 and 128 + 128 = 256 then
when you add the '@' char you get string of 257 being shoved into
string of size 256.  Ditto for host and daemon in the second part
of the patch.
------------------------------------------------------------------------
--- eval.c.orig Mon Jan 30 13:51:46 1995
+++ eval.c      Wed May 31 00:43:16 2000
@@ -111,7 +111,7 @@
        return (hostinfo);
 #endif
     if (STR_NE(eval_user(request), unknown)) {
-       sprintf(both, "%s@%s", request->user, hostinfo);
+       snprintf(both, sizeof(both),"%s@%s", request->user, hostinfo);
        return (both);
     } else {
        return (hostinfo);
@@ -128,7 +128,7 @@
     char   *daemon = eval_daemon(request);
 
     if (STR_NE(host, unknown)) {
-       sprintf(both, "%s@%s", daemon, host);
+       snprintf(both, sizeof(both), "%s@%s", daemon, host);
        return (both);
     } else {
        return (daemon);
------------------------------------------------------------------------

Dunno if these patches fix anything potentially harmful, I just made
because to me it looked like there was some potential problems.  The
argv[0] in tcpd is a problem that the first patch fixes, though I
don't see any potential threat from it, I figured better safe now than
sorry later.

-Stan Bubrouski
Comment 1 Jeff Johnson 2000-07-27 15:45:57 EDT
Fixed in tcp_wrappers-7.6-14. Thanks for noticing (and sending a patch).

Note You need to log in before you can comment on or make changes to this bug.