Re: Can anyone verify a core dump on /sbin/mingetty

[Derry Hamilton <derry.hamilton () pa press net>]

This appears to be the case with the Debian version as well.
It is due to an unprotected strcat in open_tty(void).  This is trivially fixed
as follows:

163a164
>       #define BUFLEN 20
165c166
<       char buf[20];
---
>       char buf[BUFLEN];
166a168
>       int bufremaining=BUFLEN;
183c185,186
<       strcat (buf, tty);
---
>       bufremaining -= strlen(buf);
>       strncat (buf, tty,bufremaining);

There are unprotected buffers all over the place in mingetty.c,
which leads me to conclude that other buffer overflows are very likely.



> *nix Issue - Anyone with 'mingetty':

> After all the vi overflows, and wu-ftpd etc recently I thought I would have a 
> sniff around a default redhat 7.1 box too see what I could find.  Anyway I  
> managed to dump core on /sbin/mingetty and thought it would be worth 
> reporting:
> [m0le@mainframe /sbin]$ ./mingetty `perl -e 'print "A"x9000'`
> Segmentation fault
> [m0le@mainframe /sbin]$ 


-- 
Derry Hamilton, rasilon () tardis ed ac uk
"I think your cats need tuning - according to a couple of quick measurements
on a recently calibrated reference cat, the dominant frequency of a correctly
adjusted cat should be 12Hz +/-20%."  ===Lionel Lauer on a.s.r===