Bugtraq mailing list archives
Re: bin/2983: Security bug (buffer overflow) in
From: eivind () FREEBSD ORG (Eivind Eklund)
Date: Mon, 17 Mar 1997 12:10:41 +0100
At 02:56 PM 3/16/97 -0600, Tero Kivinen wrote:
The termcap libraries tgoto function has buffer overflow bug that can be used to overwrite data in BSS segment. The tgoto have function have static char result[MAXRETURNSIZE] (64 characters) buffer that is used to return cursor addressing string from tgoto function. If the CM-cabability have more than 64 characters in it the tgoto function will overwrite something in the bss segment after result-variable. There are no checks about the length of cm string nor checks if the resulting string is longer than MAXRETURNSIZE characters.
This is now fixed in FreeBSD - RELENG_2_1_0, RELENG_2_2, and HEAD. Anybody on CVSup or CTM should get the changes later today. Sorry for the delay. If somebody want just the diffs, they can be fetched directly from the FreeBSD CVS tree: http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libtermcap/tgoto.c?r1=1.4&r2=1.5 Eivind Eklund perhaps () yes no http://maybe.yes.no/perhaps/ eivind () freebsd org
Current thread:
- Re: bin/2983: Security bug (buffer overflow) in Eivind Eklund (Mar 17)