bin/80661: [SECURITY] Missing NULL termination after strncpy() in rlogin(1)

[Przemyslaw Frasunek]

>Number:         80661
>Category:       bin
>Synopsis:       [SECURITY] Missing NULL termination after strncpy() in rlogin(1)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 05 13:50:04 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Przemyslaw Frasunek
>Release:        FreeBSD 4.11-STABLE i386
>Organization:
czuby.net
>Environment:
System: FreeBSD lagoon.freebsd.lublin.pl 4.11-STABLE FreeBSD 4.11-STABLE #0: Tue Feb 8 12:36:09 CET 2005 root at riget.scene.pl:/usr/src/sys/compile/RIGET i386
>Description:

	usr.bin/rlogin/rlogin.c:
#ifdef KERBEROS
                case 'k':
                        dest_realm = dst_realm_buf;
                        (void)strncpy(dest_realm, optarg, REALM_SZ);
                        break;
#endif

	Dest_realm buffer isn't NULL terminated if sizeof(optarg) == REALM_SZ
	leading to possible security vulnerability. Rlogin client
	is setuid root and offending code is executed before dropping
	privs.

	The bug is present only in RELENG_4 if rlogin is compiled
	with Kerberos support. RELENG_5 is dekerberized and therefore
	not buggy.

>How-To-Repeat:
	N/A
>Fix:

--- usr.bin/rlogin/rlogin.c.old Thu May  5 15:41:13 2005
+++ usr.bin/rlogin/rlogin.c     Thu May  5 15:42:46 2005
@@ -228,7 +228,7 @@
 #ifdef KERBEROS
                case 'k':
                        dest_realm = dst_realm_buf;
-                       (void)strncpy(dest_realm, optarg, REALM_SZ);
+                       (void)strlcpy(dest_realm, optarg, REALM_SZ);
                        break;
 #endif
                case 'l':

>Release-Note:
>Audit-Trail:
>Unformatted: