ports/56006: [PATCH] buffer overflows in databases/gnats

Oliver Eikemeier eikemeier at fillmore-labs.com
Tue Aug 26 15:20:17 UTC 2003 

>Number:         56006
>Category:       ports
>Synopsis:       [PATCH] buffer overflows in databases/gnats
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 26 08:20:15 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Oliver Eikemeier
>Release:        FreeBSD 4.8-STABLE i386
>Organization:
Fillmore Labs - http://www.fillmore-labs.com
>Environment:
System: FreeBSD nuuk.fillmore-labs.com 4.8-STABLE

>Description:

A security vulnerability has been found in the 3.113.1 release:
  http://www.securityfocus.com/archive/1/326337

Impact: Local privilege elevation.
  pr-edit, queue-pr and gen-index are installed setuid gnats and
  can be exploited.

>How-To-Repeat:
>Fix:

A quick fix is the patch below from the security advisory. Don't forget to bump PORTREVISION.

As stated on http://www.gnu.org/software/gnats/ :
  "There are no plans to fix this problem, all GNATS users should upgrade to 4.0"

GNATS 4.0 is submitted as port databases/gnats4 in PR 55876:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=55876

I'm willing to help to migrate the FreeBSD PR database to GNATS 4.0.

Btw, gnats 3.113.1 doesn't seem to build on -CURRENT:
  http://bento.freebsd.org/errorlogs/i386-5-latest/gnats-3.113.1_7.log
and package building fails on -STABLE (needs to use the new INFO macro)
  http://bento.freebsd.org/errorlogs/i386-4-latest/gnats-3.113.1_7.log

--- gnats-security.patch begins here ---
diff -Nur databases/gnats/files/patch-gnats::files.c.orig databases/gnats/files/patch-gnats::files.c
--- databases/gnats/files/patch-gnats::files.c.orig	Thu Jan  1 01:00:00 1970
+++ databases/gnats/files/patch-gnats::files.c	Tue Aug 26 16:17:15 2003
@@ -0,0 +1,29 @@
+--- gnats/files.c.orig	Mon Feb 12 06:36:25 2001
++++ gnats/files.c	Sat Jun 14 13:17:58 2003
+@@ -271,7 +271,7 @@
+   char *path = (char *) alloca (PATH_MAX);
+ 
+   memset (array, 0, NUM_RESPONSIBLE_FIELDS * sizeof (char *));
+-  sprintf (path, "%s/gnats-adm/%s", gnats_root, RESPONSIBLE_FILE);
++  snprintf (path, PATH_MAX-1, "%s/gnats-adm/%s", gnats_root, RESPONSIBLE_FILE);
+   fp = fopen (path, "r");
+   if (fp == NULL)
+     return 0;
+@@ -358,7 +358,7 @@
+   int  i, nerrs = 0;
+ 
+   memset (array, 0, NUM_CLASS_FIELDS * sizeof (char *));
+-  sprintf (path, "%s/gnats-adm/%s", gnats_root, CLASSES);
++  snprintf (path, PATH_MAX-1, "%s/gnats-adm/%s", gnats_root, CLASSES);
+   fp = fopen (path, "r");
+ 
+   if (fp == NULL)
+@@ -593,7 +593,7 @@
+   int  i, nerrs = 0;
+ 
+   memset (array, 0, NUM_STATE_FIELDS * sizeof (char *));
+-  sprintf (path, "%s/gnats-adm/%s", gnats_root, STATES);
++  snprintf (path, PATH_MAX-1, "%s/gnats-adm/%s", gnats_root, STATES);
+   fp = fopen (path, "r");
+ 
+   if (fp == NULL)
diff -Nur databases/gnats/files/patch-gnats::gen-index.c.orig databases/gnats/files/patch-gnats::gen-index.c
--- databases/gnats/files/patch-gnats::gen-index.c.orig	Thu Jan  1 01:00:00 1970
+++ databases/gnats/files/patch-gnats::gen-index.c	Tue Aug 26 16:17:42 2003
@@ -0,0 +1,11 @@
+--- gnats/gen-index.c.orig	Wed Sep 22 08:18:39 1999
++++ gnats/gen-index.c	Sat Jun 14 13:19:58 2003
+@@ -256,7 +256,7 @@
+   Categories *c;
+ 
+   if (! catfile)
+-    sprintf (path, "%s/gnats-adm/%s", gnats_root, CATEGORIES);
++    snprintf (path, PATH_MAX-1, "%s/gnats-adm/%s", gnats_root, CATEGORIES);
+   else
+     path = catfile;
+ 
diff -Nur databases/gnats/files/patch-gnats::index.c.orig databases/gnats/files/patch-gnats::index.c
--- databases/gnats/files/patch-gnats::index.c.orig	Thu Jan  1 01:00:00 1970
+++ databases/gnats/files/patch-gnats::index.c	Tue Aug 26 16:17:58 2003
@@ -0,0 +1,11 @@
+--- gnats/index.c.orig	Thu Mar 18 08:45:38 1999
++++ gnats/index.c	Sat Jun 14 13:22:21 2003
+@@ -399,7 +399,7 @@
+   if (! index_filename)
+     {
+       index_filename = (char *) xmalloc (PATH_MAX);
+-      sprintf (index_filename, "%s/gnats-adm/%s", gnats_root, INDEX);
++      snprintf (index_filename, PATH_MAX-1, "%s/gnats-adm/%s", gnats_root, INDEX);
+     }
+ 
+   fp = fopen (index_filename, "r");
diff -Nur databases/gnats/files/patch-gnats::internal.c.orig databases/gnats/files/patch-gnats::internal.c
--- databases/gnats/files/patch-gnats::internal.c.orig	Thu Jan  1 01:00:00 1970
+++ databases/gnats/files/patch-gnats::internal.c	Tue Aug 26 16:18:06 2003
@@ -0,0 +1,11 @@
+--- gnats/internal.c.orig	Wed Mar  3 09:18:53 1999
++++ gnats/internal.c	Sat Jun 14 14:09:45 2003
+@@ -238,7 +238,7 @@
+   struct stat buf;
+   int count;
+ 
+-  sprintf (path, "%s/gnats-adm/gnats.lock", gnats_root);
++  snprintf (path, PATH_MAX-1, "%s/gnats-adm/gnats.lock", gnats_root);
+ 
+ #define MAXWAIT 10
+ #define GRANULARITY 1
--- gnats-security.patch ends here ---

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list