> Chuck Campbell (campbell) pointed me out that tripwire dies with > coredump on R.H. linux, if it hits a filename containing 128-255 characters. > Playing a bit with debugger I found out that the problem sits around the > line 417: > else if (iscntrl(*pcin)) { > *pcout++ = '\\'; > *pcout++ = *(pccopy = octal_array[(int)(*pcin)]); > *pcout++ = *++pccopy; > *pcout++ = *++pccopy; > } > > iscntrl here would return 'true' not only for [0-31] arg, but also for > [128-255]. It cause two problems here: > 1. original octal_array contained only 127 elements, reference would go > outside the array with *pcin>127 > 2. pcin is declared as pointer to char, which caused a negative offset for > chars in range above 127. (and which actually caused coredump in this case) > > bellow is the patch to tripwire 1.2 (as it is on coast.cs.purdue.edu, and > ftp.redhat.com sites), and message from Gene Spafford which I received for > responce to my message. I wasn't able to test this bug on commercial > tripwire, but since people still use free version, this problem still might > be applicable. > > ---------- Forwarded message ---------- > Date: Sun, 03 Jan 1999 10:25:36 -0500 > From: Gene Spafford <spaf.edu> > > [Form-letter response, last modified 8/16/98] > > Thanks for your inquiry about Tripwire. > > In mid-December 1997, Tripwire Security Systems, Inc. (formerly Visual > Computing Corporation) acquired the license for our Tripwire > change/intrusion detection system. They are now marketing an enhanced, > supported version of Tripwire for Unix-based machines. They are also > planning a Windows NT version of Tripwire for release sometimes in late > 1998. Gene Kim, my former student and the original author of Tripwire, > is the VP of TSS, and I may have some technical advisory role in these > developments. All enquiries about Tripwire sales and technical support > should be directed to: > W. Wyatt Starnes > President > Tripwire Security Systems, Inc. > 615 SW Broadway > Portland, Oregon 97205 > Phone: (503) 223-0280 > FAX: (503) 223-0182 > tripwire > > You can visit the Tripwire WWW site at > <http://www.tripwiresecurity.com/> for details on the latest release of > the program, and for assistance with problems with previous versions. > Note that personnel at Purdue are no longer supporting Tripwire. > > Please also note that Tripwire is a registered trademark of the Purdue > Research Foundation, and it is also licensed to TSS. >
This is a very common code problem; typically, these is* macros take int arguments where the only valid arguments are eitehr -1 .. 255 or 0 .. 255. Many OSes/compilers use signed chars. Almost nobody takes proper care in casting char arguments to is*() to unsigned char. You'll find unpredictable things in much code, I'm sure.
added patch to fix tripwire