Project

General

Profile

Bug #9599

Buffer overflow in usr/src/lib/libsocket/inet/ruserpass.c

Added by Thomas Barabosch about 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
lib - userland libraries
Start date:
2018-06-14
Due date:
% Done:

100%

Estimated time:
0.00 h
Difficulty:
Bite-size
Tags:
Gerrit CR:

Description

There is a potential buffer overflow in usr/src/lib/libsocket/inet/ruserpass.c. One should not blindly trust environment variables:
hdir = getenv("HOME");
if (hdir == NULL)
hdir = ".";
(void) sprintf(buf, "%s/.netrc", hdir);

The patch is trivial, just use snprintf.


Files

ruserpass.c.patch (377 Bytes) ruserpass.c.patch Thomas Barabosch, 2018-06-14 09:23 AM
ruserpass.c.patch (371 Bytes) ruserpass.c.patch Thomas Barabosch, 2018-06-14 09:26 AM

History

#1

Updated by Thomas Barabosch about 2 years ago

Sorry, there were whitespaces instead of tabs in the patch. Fixed that.

BTW this bug was fixed in 1997 in FreeBSD (github mirror: e5d10bdc2e49726df5f9f4de7b68c37c1235a234)

#2

Updated by Toomas Soome about 2 years ago

  • Status changed from New to In Progress
  • Assignee set to Toomas Soome
  • % Done changed from 0 to 90
  • Difficulty changed from Medium to Bite-size
  • Tags deleted (needs-triage)
#3

Updated by Toomas Soome about 2 years ago

Thomas Barabosch wrote:

There is a potential buffer overflow in usr/src/lib/libsocket/inet/ruserpass.c. One should not blindly trust environment variables:
hdir = getenv("HOME");
if (hdir == NULL)
hdir = ".";
(void) sprintf(buf, "%s/.netrc", hdir);

The patch is trivial, just use snprintf.

https://www.illumos.org/rb/r/1106/

#4

Updated by Electric Monk about 2 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 90 to 100

git commit 00f1a4f432b3d8aad1aa270e91c44c57f03ef407

commit  00f1a4f432b3d8aad1aa270e91c44c57f03ef407
Author: Toomas Soome <tsoome@me.com>
Date:   2018-07-09T16:33:58.000Z

    9599 Buffer overflow in usr/src/lib/libsocket/inet/ruserpass.c
    Reviewed by: Yuri Pankov <yuripv@yuripv.net>
    Reviewed by: Andy Fiddaman <af@citrus-it.net>
    Reviewed by: Igor Kozhukhov <igor@dilos.org>
    Reviewed by: Ken Mays <kmays2000@gmail.com>
    Approved by: Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>

Also available in: Atom PDF