Bug #9599
closedBuffer overflow in usr/src/lib/libsocket/inet/ruserpass.c
100%
Description
There is a potential buffer overflow in usr/src/lib/libsocket/inet/ruserpass.c. One should not blindly trust environment variables:
hdir = getenv("HOME");
if (hdir == NULL)
hdir = ".";
(void) sprintf(buf, "%s/.netrc", hdir);
The patch is trivial, just use snprintf.
Files
Updated by Thomas Barabosch over 5 years ago
- File ruserpass.c.patch ruserpass.c.patch added
Sorry, there were whitespaces instead of tabs in the patch. Fixed that.
BTW this bug was fixed in 1997 in FreeBSD (github mirror: e5d10bdc2e49726df5f9f4de7b68c37c1235a234)
Updated by Toomas Soome over 5 years ago
- Status changed from New to In Progress
- Assignee set to Toomas Soome
- % Done changed from 0 to 90
- Difficulty changed from Medium to Bite-size
- Tags deleted (
needs-triage)
Updated by Toomas Soome over 5 years ago
Thomas Barabosch wrote:
There is a potential buffer overflow in usr/src/lib/libsocket/inet/ruserpass.c. One should not blindly trust environment variables:
hdir = getenv("HOME");
if (hdir == NULL)
hdir = ".";
(void) sprintf(buf, "%s/.netrc", hdir);The patch is trivial, just use snprintf.
Updated by Electric Monk about 5 years ago
- Status changed from In Progress to Closed
- % Done changed from 90 to 100
git commit 00f1a4f432b3d8aad1aa270e91c44c57f03ef407
commit 00f1a4f432b3d8aad1aa270e91c44c57f03ef407 Author: Toomas Soome <tsoome@me.com> Date: 2018-07-09T16:33:58.000Z 9599 Buffer overflow in usr/src/lib/libsocket/inet/ruserpass.c Reviewed by: Yuri Pankov <yuripv@yuripv.net> Reviewed by: Andy Fiddaman <af@citrus-it.net> Reviewed by: Igor Kozhukhov <igor@dilos.org> Reviewed by: Ken Mays <kmays2000@gmail.com> Approved by: Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>