Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New bugs discovered!

From: "Crist J. Clark" <cristjc () earthlink net>
Date: Mon, 19 Nov 2001 00:59:04 -0800
On Sun, Nov 18, 2001 at 09:04:31PM +0300, Yaroslav Klyukin wrote:

vuln-dev pisal(a):


GOBBLES security is happy to announce the discovery of multiple bugs in
/bin/gzip, which can be exploited remotely with a bit of creativity.
Attached is our advisory on the matter.


Hey, I have tried

/bin/gzip `perl -e 'print "A" x 2048'`

On Linux and FreeBSD
It didn't work.


On FreeBSD 4-STABLE, there is the following code in gzip.c,

1.8          (wosch    27-Dec-97):     if (strlen(iname) >= sizeof(ifname) - 3) {
1.8          (wosch    27-Dec-97):      errno = ENAMETOOLONG;
1.8          (wosch    27-Dec-97):      perror(iname);
1.8          (wosch    27-Dec-97):      exit_code = ERROR;
1.8          (wosch    27-Dec-97):      return ERROR;
1.8          (wosch    27-Dec-97):     }
1.1          (nate     18-Jun-93): 
1.1          (nate     18-Jun-93):     strcpy(ifname, iname);

So that's been fixed for a little under four years.

As for the particular strcpy(3) quoted in the original mail,


        strcpy(nbuf,dir)


1.1          (nate     18-Jun-93):      len = strlen(dir);
1.1          (nate     18-Jun-93):      if (len + NLENGTH(dp) + 1 < MAX_PATH_LEN - 1) {
1.1          (nate     18-Jun-93):          strcpy(nbuf,dir);

The length was actually checked first in the original '93 import.
-- 
Crist J. Clark                     |     cjclark () alum mit edu
                                   |     cjclark () jhu edu
http://people.freebsd.org/~cjc/    |     cjc () freebsd org
Previous By Date Next
Previous By Thread Next

Current thread: