Hosting Provided By

First hunk of diffs

From: Warner Losh <imp(at)village.org>
Date: Tue Apr 29 1997 - 18:51:28 EDT

I've been running with these diffs now for some time. These seem sane.

Comments?

Warner

Here's a digest of what I'm doing.

libc/db/btree/bt_open.c
>From OpenBSD:
revision 1.4
date: 1996/08/26 00:17:14; author: deraadt; state: Exp; lines: +4 -3 use issetugid() to protect against bad getenv

libc/gen/glob.c
>From OpenBSD:
Working file: glob.c
revision 1.3
date: 1996/09/11 19:22:46; author: deraadt; state: Exp; lines: +2 -2 protect $HOME expansion; from das33@cornell.edu

libc/net/res_comp.c
>From OpenBSD by Theo de Raadt:
Limit the size of the buffer to MAXDNAME.

libc/net/res_init.c
>From OpenBSD:
Working file: res_init.c
revision 1.6
date: 1996/08/27 03:32:53; author: deraadt; state: Exp; lines: +4 -1 use strncpy correctly
revision 1.5
date: 1996/08/25 10:11:02; author: deraadt; state: Exp; lines: +5 -4 use issetugid()

libc/nls/msgcat.c
>From OpenBSD:
Working file: catopen.c
revision 1.6
date: 1996/08/26 00:17:20; author: deraadt; state: Exp; lines: +6 -8 use issetugid() to protect against bad getenv

libc/stdio/mktemp.c
libc/stdio/tempnam.c
libc/stdio/tmpnam.c

>From OpenBSD:
95% of common uses of these are incorrect and insecure. correct use is incredibly rare. Time for some education!

Also, 1.3 and 1.4 from OpenBSD's tempname have been merged in. These only cause TMPDIR env to be fetched when we aren't running setuid or setgid.

libc/stdtime/localtime.c
>From OpenBSD:
Working file: localtime.c
revision 1.10
date: 1997/04/02 03:57:30; author: deraadt; state: Exp; lines: +6 -2 correctly code the classes of permitted TZ specifications for the issetugid() case. thanks bitblt and tholo revision 1.6
date: 1996/09/05 12:28:23; author: deraadt; state: Exp; lines: +2 -2 1 char oflow
revision 1.5
date: 1996/08/25 10:11:11; author: deraadt; state: Exp; lines: +2 -2 use issetugid()

Do you need help?

And some unknown witespace change that shouldn't be there....

libedit/el.c
>From OpenBSD:
Working file: el.c
revision 1.2
date: 1996/08/26 00:17:22; author: deraadt; state: Exp; lines: +2 -2 use issetugid() to protect against bad getenv

libftpio/ftpio.c

>From Julian A:
Limit the size of h_length used to the actual size of the sin_addr buffer.

libskey/skeyaccess.c

>From Julian A:
Limit the size of h_length used to the actual size of the sin_addr buffer.

Also, fix 1 character overflow (which may also be in OpenBSD).

Index: libc/db/btree/bt_open.c

RCS file: /home/imp/FreeBSD/CVS/src/lib/libc/db/btree/bt_open.c,v retrieving revision 1.4

diff -u -r1.4 bt_open.c
--- bt_open.c	1996/07/12 18:53:13	1.4
+++ bt_open.c	1997/04/28 20:00:02

@@ -388,10 +388,11 @@

{

 	sigset_t set, oset;
 	int fd;
-	char *envtmp;
+	char *envtmp = NULL;
 	char path[MAXPATHLEN];
 
-	envtmp = getenv("TMPDIR");
+	if (issetugid() == 0)
+		envtmp = getenv("TMPDIR");
 	(void)snprintf(path,
 	    sizeof(path), "%s/bt.XXXXXX", envtmp ? envtmp : "/tmp");

Index: libc/gen/glob.c

RCS file: /home/imp/FreeBSD/CVS/src/lib/libc/gen/glob.c,v retrieving revision 1.8
diff -u -r1.8 glob.c

--- glob.c	1997/04/04 19:16:08	1.8
+++ glob.c	1997/04/28 20:05:28


@@ -361,7 +361,7 @@


 		 * handle a plain ~ or ~/ by expanding $HOME
 		 * first and then trying the password file
 		 */
-		if ((h = getenv("HOME")) == NULL) {
+		if (issetugid() != 0 || (h = getenv("HOME")) == NULL) {
 			if ((pwd = getpwuid(getuid())) == NULL)
 				return pattern;
 			else

Index: libc/net/res_comp.c

RCS file: /home/imp/FreeBSD/CVS/src/lib/libc/net/res_comp.c,v retrieving revision 1.10
diff -u -r1.10 res_comp.c

--- res_comp.c	1997/02/22 15:00:29	1.10
+++ res_comp.c	1997/03/28 17:17:55

@@ -95,7 +95,7 @@

 	dn = exp_dn;
 	cp = comp_dn;
-	eom = exp_dn + length;
+	eom = exp_dn + (length > MAXDNAME ? MAXDNAME : length);
 	/*
 	 * fetch next label in domain name
 	 */

Index: libc/net/res_init.c

RCS file: /home/imp/FreeBSD/CVS/src/lib/libc/net/res_init.c,v retrieving revision 1.12
diff -u -r1.12 res_init.c

--- res_init.c	1997/02/22 15:00:32	1.12
+++ res_init.c	1997/04/28 20:15:17


@@ -177,8 +177,9 @@


 	_res.pfcode = 0;
 
 	/* Allow user to override the local domain definition */
-	if ((cp = getenv("LOCALDOMAIN")) != NULL) {
+	if (issetugid() == 0 && (cp = getenv("LOCALDOMAIN")) != NULL) {
 		(void)strncpy(_res.defdname, cp, sizeof(_res.defdname) - 1);
+		_res.defdname[sizeof(_res.defdname) - 1] = '\0';
 		haveenv++;
 
 		/*


@@ -231,6 +232,7 @@

if ((*cp == '\0') || (*cp == '\n')) continue; strncpy(_res.defdname, cp, sizeof(_res.defdname) - 1); + _res.defdname[sizeof(_res.defdname) - 1] = '\0'; if ((cp = strpbrk(_res.defdname, " \t\n")) != NULL) *cp = '\0'; havesearch = 0;
@@ -246,6 +248,7 @@
if ((*cp == '\0') || (*cp == '\n')) continue; strncpy(_res.defdname, cp, sizeof(_res.defdname) - 1); + _res.defdname[sizeof(_res.defdname) - 1] = '\0'; if ((cp = strchr(_res.defdname, '\n')) != NULL) *cp = '\0'; /*
@@ -379,7 +382,9 @@

#endif /* !RFC1535 */

}

if ((cp = getenv("RES_OPTIONS")) != NULL) + if (issetugid()) + _res.options |= RES_NOALIASES; + else if ((cp = getenv("RES_OPTIONS")) != NULL) res_setoptions(cp, "env"); _res.options |= RES_INIT; return (0); Index: libc/nls/msgcat.c
RCS file: /home/imp/FreeBSD/CVS/src/lib/libc/nls/msgcat.c,v retrieving revision 1.9 diff -u -r1.9 msgcat.c --- msgcat.c 1997/03/25 05:36:37 1.9 +++ msgcat.c 1997/04/28 20:02:30
@@ -101,9 +101,8 @@
} else { if ((lang = (char *) getenv("LANG")) == NULL) lang = "C";
/* XXX Should really be issetguid(), but we don't have that */ if ((nlspath = (char *) getenv("NLSPATH")) == NULL ||
getuid() != geteuid() || getgid() != getegid()) { + issetguid() != 0) { nlspath = "/usr/share/nls/%L/%N.cat:/usr/share/nls/%N/%L:/usr/local/share/nls/%L/%N.cat:/usr/local/share/nls/%N/%L"; }

Index: libc/stdio/mktemp.c

RCS file: /home/imp/FreeBSD/CVS/src/lib/libc/stdio/mktemp.c,v retrieving revision 1.7
diff -u -r1.7 mktemp.c

--- mktemp.c	1997/04/07 18:01:10	1.7
+++ mktemp.c	1997/04/26 18:49:42

@@ -59,10 +59,20 @@

}

Do you need more help?

char *
-mktemp(path)
+_mktemp(path)

char *path;
{

return(_gettemp(path, (int *)NULL) ? path : (char *)NULL);

+}
+
+__warn_references(mktemp,
+    "warning: mktemp() possibly used unsafely; consider using mkstemp()");
+
+char *
+mktemp(path)
+	char *path;
+{
+	return(_mktemp(path));

}

static int
Index: libc/stdio/tempnam.c

RCS file: /home/imp/FreeBSD/CVS/src/lib/libc/stdio/tempnam.c,v retrieving revision 1.5

diff -u -r1.5 tempnam.c
--- tempnam.c	1997/02/22 15:02:37	1.5
+++ tempnam.c	1997/04/28 19:51:28
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related audit-dead Links
auditors
bin
contrib
eBones
games
init
lib
libc
libexec
lkm
sbin
secure
telnetd
usr
Request more information about Pantek

@@ -47,6 +47,11 @@

#include <unistd.h>
#include <paths.h>

+__warn_references(tempnam,
+    "warning: tempnam() possibly used unsafely; consider using mkstemp()");
+
+extern char *_mktemp __P((char *));
+

char *
tempnam(dir, pfx)

const char *dir, *pfx;
@@ -60,7 +65,7 @@

 	if (!pfx)
 		pfx = "tmp.";
 
-	if ((f = getenv("TMPDIR"))) {
+	if (issetugid() == 0 && (f = getenv("TMPDIR"))) {
 		(void)snprintf(name, MAXPATHLEN, "%s%s%sXXXXXX", f,
 		    *(f + strlen(f) - 1) == '/'? "": "/", pfx);
 		if ((f = mktemp(name)))

Index: libc/stdio/tmpnam.c

RCS file: /home/imp/FreeBSD/CVS/src/lib/libc/stdio/tmpnam.c,v retrieving revision 1.1.1.1
diff -u -r1.1.1.1 tmpnam.c

--- tmpnam.c	1994/05/27 04:57:32	1.1.1.1
+++ tmpnam.c	1997/04/28 19:52:25

@@ -43,6 +43,11 @@

#include <stdio.h>
#include <unistd.h>

+__warn_references(tmpnam,
+    "warning: tmpnam() possibly used unsafely; consider using mkstemp()");
+
+extern char *_mktemp __P((char *));
+

char *
tmpnam(s)

char *s;
Index: libc/stdtime/localtime.c

RCS file: /home/imp/FreeBSD/CVS/src/lib/libc/stdtime/localtime.c,v retrieving revision 1.15
diff -u -r1.15 localtime.c

--- localtime.c	1997/03/25 05:34:31	1.15
+++ localtime.c	1997/04/29 14:35:28


@@ -273,6 +273,11 @@


 	register int		i;
 	register int		fid;
 
+	/* XXX The following is from OpenBSD, and I'm not sure it is correct */
+	if (name != NULL && issetugid() != 0)
+		if ((name[0] == ':' && name[1] == '/') || 
+		    name[0] == '/' || strchr(name, '.'))

+ name = NULL; if (name == NULL && (name = TZDEFAULT) == NULL) return -1; {
@@ -293,7 +298,7 @@
if (!doaccess) { if ((p = TZDIR) == NULL) return -1; - if ((strlen(p) + strlen(name) + 1) >= sizeof fullname) + if ((strlen(p) + 1 + strlen(name) + 1) >= sizeof fullname) return -1; (void) strcpy(fullname, p); (void) strcat(fullname, "/");
@@ -306,7 +311,7 @@
name = fullname; } if (doaccess && access(name, R_OK) != 0) - return -1; + return -1; if ((fid = open(name, OPEN_MODE)) == -1) return -1; if ((fstat(fid, &stab) < 0) || !S_ISREG(stab.st_mode)) Index: libedit/el.c

RCS file: /home/imp/FreeBSD/CVS/src/lib/libedit/el.c,v retrieving revision 1.3
diff -u -r1.3 el.c

--- el.c	1997/03/23 23:17:22	1.3
+++ el.c	1997/04/28 20:23:05


@@ -77,7 +77,7 @@


     el->el_prog = strdup(prog);

#ifdef DEBUG
- if ((tty = getenv("DEBUGTTY")) != NULL) { + if (issetugid() == 0 && (tty = getenv("DEBUGTTY")) != NULL) {

 	el->el_errfile = fopen(tty, "w");
 	if (el->el_errfile == NULL) {
 		extern errno;


@@ -291,7 +291,7 @@


     if (fname == NULL) {
 	fname = &elpath[1];
 	if ((fp = fopen(fname, "r")) == NULL) {
-	    if ((ptr = getenv("HOME")) == NULL)
+	    if (issetugid() != 0 || (ptr = getenv("HOME")) == NULL)
 		return -1;
 	    (void)snprintf(path, sizeof(path), "%s%s", ptr, elpath);
 	    fname = path;

Index: libftpio/ftpio.c

RCS file: /home/imp/FreeBSD/CVS/src/lib/libftpio/ftpio.c,v retrieving revision 1.25
diff -u -r1.25 ftpio.c

--- ftpio.c	1997/02/22 15:06:50	1.25
+++ ftpio.c	1997/03/22 05:07:29

@@ -35,6 +35,7 @@

 #include

#include <string.h> #include <unistd.h> +#include <sys/param.h> #define SUCCESS 0 #define FAILURE -1
@@ -701,7 +702,7 @@
return FAILURE; } ftp->addrtype = sin.sin_family = he->h_addrtype; - bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); + bcopy(he->h_addr, (char *)&sin.sin_addr, MIN(he->h_length,sizeof(sin.sin_addr))); } sin.sin_port = htons(port);
Index: libskey/skeyaccess.c

RCS file: /home/imp/FreeBSD/CVS/src/lib/libskey/skeyaccess.c,v retrieving revision 1.7
diff -u -r1.7 skeyaccess.c

--- skeyaccess.c	1996/10/17 21:49:34	1.7
+++ skeyaccess.c	1997/03/22 05:08:11

@@ -408,12 +408,11 @@

     for (i = 0; i < MAX_ADDR && hp->h_addr_list[i]; i++)
 	memcpy((char *) &list[i],
-	       hp->h_addr_list[i], hp->h_length);
+	       hp->h_addr_list[i], (length=MIN(hp->h_length, sizeof(struct in_addr))));
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related audit-dead Links
auditors
bin
contrib
eBones
games
init
lib
libc
libexec
lkm
sbin
secure
telnetd
usr
Request more information about Pantek
     list[i].s_addr = 0;
 
     strncpy(buf, hp->h_name, MAXHOSTNAMELEN);

- buf[MAXHOSTNAMELEN] = 0;
- length = hp->h_length;
+ buf[MAXHOSTNAMELEN - 1] = 0;

     /*
      * Wipe addresses that appear to belong to someone else. We will get

Received on Tue Apr 29 15:51:37 1997

This message: [ Message body ]
Next message: Eivind Eklund: "Re: First hunk of diffs"
Previous message: Dan Cross: "Re: Hello?"
Next in thread: Guido van Rooij: "Re: First hunk of diffs"
Reply: Guido van Rooij: "Re: First hunk of diffs"
Reply: Eivind Eklund: "Re: First hunk of diffs"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:41:02 EDT

Don't know where to look next?