Off-by-one Buffer Overflow Vulnerability in BSD libc realpath(3)

[Dave Ahmad <da () securityfocus com>]

Originally reported as affecting only WU-FTPD.  It seems that the bug
is in code borrowed from the BSD C library.  NetBSD, FreeBSD and OpenBSD
announcements attached.

David Mirza Ahmad
Symantec

PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
--
The battle for the past is for the future.
We must be the winners of the memory war.
> --- Begin Message ---
>
>
> From: "Todd C. Miller" <Todd.Miller () courtesan com>
>
> Date: Mon, 04 Aug 2003 11:03:06 -0600
>
>
> [ this version has some typos fixed ]
>
> An off-by-one error exists in the C library function realpath(3).
> This is the same bug that was recently found in the wu-ftpd ftpd
> server by Janusz Niewiadomski and Janusz Niewiadomski.
>
> The OpenBSD ftp daemon does not use realpath(3) in a way that could
> be exploited, however a number of other system binaries also use
> the function.  It is not currently known whether or not this bug
> results in an exploitable security hole on OpenBSD.  Since the bug
> led to an exploitable hole in wu-ftpd, it is entirely possible that
> some program using realpath(3) under OpenBSD may be vulnerable to
> attack.  For OpenBSD 3.3 and higher, the ProPolice stack protector
> should provide some protection from this bug, but this cannot be
> guaranteed.
>
> This bug has been fixed in OpenBSD-current as well as the 3.2 and
> 3.3 stable branches.  Patches are available for OpenBSD 3.2 and 3.3.
>
> Patch for OpenBSD 3.2:
> ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.2/common/015_realpath.patch
>
> Patch for OpenBSD 3.3:
> ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.3/common/001_realpath.patch
>
> For versions of OpenBSD prior to 3.2, users may simply fetch
> the current revision of realpath.c from:
>     ftp://ftp.OpenBSD.org/pub/OpenBSD/src/lib/libc/stdlib/realpath.c
> then rebuild and install libc with the new realpath.c.
>
> For more details, see the description of the wu-ftpd fp_realpath bug:
>     http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
>
> --- End Message ---

Attachment: FreeBSD-SA-03:08.realpath
Description:

Attachment: NetBSD-SA2003-011.txt.asc
Description: