TUCoPS :: Unix :: General
:: unix5385.htm
31th May 2002 [SBWID-5385]
COMMAND
cvsd local overflow
SYSTEMS AFFECTED
version 1.11
corrected in 1.11.2
PROBLEM
david evlis reign from der sys posted following bug regarding CVSd:
the family of scanf functions (scanf, sscanf, fscanf) are generally
insecure in usage and steps have been taken to make them more...secure
you might say like adding bounds checking (sscanf(hey, \"%.4096s %d\",
buffer, int)) but the function still remains quite insecure, to a
lesser known bug like an off by one.
WRONG:
char buf[10];
int i;
sscanf(hey, \"%.10s\", buf); <-- boundary checks ten bytes...
RIGHT:
char buf[10];
int i;
sscanf(hey, \"%.9s\" buf); <-- see!
therefore in the first example (WRONG) the last byte into buf will
exeed the allocated space (10 bytes) by one byte. woops.
(http://www.hert.org/papers/klog-1.html <-- nice article)
details:
in cvs-1.11/src/rcs.c:
info = findnode (vers->other_delta, \"special\");
if (info != NULL)
{
/* If the size of `devtype\' changes, fix the sscanf call also */
char devtype[16]; <-- SIXTEEN BYTES
if (sscanf (info->data, \"%16s %lu\", <-- WOOPS SHOULD BE 15
devtype, &devnum_long) < 2)
error (1, 0, \"%s:%s has bad `special\' newphrase %s\",
workfile, vers->version, info->data);
devnum = devnum_long;
if (STREQ (devtype, \"character\"))
special_file = S_IFCHR;
else if (STREQ (devtype, \"block\"))
special_file = S_IFBLK;
else
error (0, 0, \"%s is a special file of unsupported type `%s\'\",
workfile, info->data);
}
}
this is only a locally exploitable hole since the data is read from
info->data which in turn is from a symlinked local file (heh, you know
where to find it);
SOLUTION
Upgrade to 1.11.2, or apply following patch written by der sys
(corrected by Larry Jones):
--- rcs_old.c Mon Jan 25 02:05:16 2002
+++ rcs.c Mon Jan 25 02:05:40 2002
--- 4238: if (sscanf (info->data, \"%16s %lu\",
+++ 4238: if (sscanf (info->data, \"%15s %lu\",
devtype, &devnum_long) < 2)
error (1, 0, \"%s:%s has bad `special\' newphrase %s\",
workfile, vers->version, info->data);