bin/80661: [SECURITY] Missing NULL termination after strncpy() in
rlogin(1)
Przemyslaw Frasunek
venglin at freebsd.lublin.pl
Thu May 5 06:50:05 PDT 2005
>Number: 80661
>Category: bin
>Synopsis: [SECURITY] Missing NULL termination after strncpy() in rlogin(1)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu May 05 13:50:04 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Przemyslaw Frasunek
>Release: FreeBSD 4.11-STABLE i386
>Organization:
czuby.net
>Environment:
System: FreeBSD lagoon.freebsd.lublin.pl 4.11-STABLE FreeBSD 4.11-STABLE #0: Tue Feb 8 12:36:09 CET 2005 root at riget.scene.pl:/usr/src/sys/compile/RIGET i386
>Description:
usr.bin/rlogin/rlogin.c:
#ifdef KERBEROS
case 'k':
dest_realm = dst_realm_buf;
(void)strncpy(dest_realm, optarg, REALM_SZ);
break;
#endif
Dest_realm buffer isn't NULL terminated if sizeof(optarg) == REALM_SZ
leading to possible security vulnerability. Rlogin client
is setuid root and offending code is executed before dropping
privs.
The bug is present only in RELENG_4 if rlogin is compiled
with Kerberos support. RELENG_5 is dekerberized and therefore
not buggy.
>How-To-Repeat:
N/A
>Fix:
--- usr.bin/rlogin/rlogin.c.old Thu May 5 15:41:13 2005
+++ usr.bin/rlogin/rlogin.c Thu May 5 15:42:46 2005
@@ -228,7 +228,7 @@
#ifdef KERBEROS
case 'k':
dest_realm = dst_realm_buf;
- (void)strncpy(dest_realm, optarg, REALM_SZ);
+ (void)strlcpy(dest_realm, optarg, REALM_SZ);
break;
#endif
case 'l':
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list