Bugtraq mailing list archives
Off-by-one Buffer Overflow Vulnerability in BSD libc realpath(3)
From: Dave Ahmad <da () securityfocus com>
Date: Mon, 4 Aug 2003 11:33:43 -0600 (MDT)
Originally reported as affecting only WU-FTPD. It seems that the bug is in code borrowed from the BSD C library. NetBSD, FreeBSD and OpenBSD announcements attached. David Mirza Ahmad Symantec PGP: 0x26005712 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 -- The battle for the past is for the future. We must be the winners of the memory war.
--- Begin Message --- From: "Todd C. Miller" <Todd.Miller () courtesan com>
Date: Mon, 04 Aug 2003 11:03:06 -0600
[ this version has some typos fixed ] An off-by-one error exists in the C library function realpath(3). This is the same bug that was recently found in the wu-ftpd ftpd server by Janusz Niewiadomski and Janusz Niewiadomski. The OpenBSD ftp daemon does not use realpath(3) in a way that could be exploited, however a number of other system binaries also use the function. It is not currently known whether or not this bug results in an exploitable security hole on OpenBSD. Since the bug led to an exploitable hole in wu-ftpd, it is entirely possible that some program using realpath(3) under OpenBSD may be vulnerable to attack. For OpenBSD 3.3 and higher, the ProPolice stack protector should provide some protection from this bug, but this cannot be guaranteed. This bug has been fixed in OpenBSD-current as well as the 3.2 and 3.3 stable branches. Patches are available for OpenBSD 3.2 and 3.3. Patch for OpenBSD 3.2: ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.2/common/015_realpath.patch Patch for OpenBSD 3.3: ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.3/common/001_realpath.patch For versions of OpenBSD prior to 3.2, users may simply fetch the current revision of realpath.c from: ftp://ftp.OpenBSD.org/pub/OpenBSD/src/lib/libc/stdlib/realpath.c then rebuild and install libc with the new realpath.c. For more details, see the description of the wu-ftpd fp_realpath bug: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
--- End Message ---
Attachment:
FreeBSD-SA-03:08.realpath
Description:
Attachment:
NetBSD-SA2003-011.txt.asc
Description:
Current thread:
- Off-by-one Buffer Overflow Vulnerability in BSD libc realpath(3) Dave Ahmad (Aug 04)