Vulnerability Development mailing list archives

Re: Hesiod security

From: KF <dotslash () snosoft com>
Date: Thu, 06 Jun 2002 22:09:32 -0400

Well RedHat and Debian seem to be on top of things. Here is the patchincluded with the RPM package:

"Hesiod libraries and sample programs.RedHat-7.3Sourceshesiod-3.0.2-18.src.rpm"


hesiod_3.0.2-12_i386.deb also seems to also have the problem fixed.

-KF


Matt Power wrote:


In the version of Hesiod used internally at MIT, this was fixed in
September 1997. See http://diswww.mit.edu/menelaus/bugs/15502

I'm aware that the latest distribution of Hesiod in the directory
ftp://athena-dist.mit.edu/pub/ATHENA/hesiod/ does not contain a fix
for this problem. There may also be other buffer overflows, or other
implementation problems, in Hesiod that were fixed at MIT or elsewhere
and are not incorporated in the athena-dist.mit.edu distribution. (And
there may be other such problems in Hesiod that no one has fixed.) The
"strcpy(bindname, name)" problem was also noted by other persons, and
some other distributions of Hesiod (for example, ones that are part of
a libc) have made different code changes in response to this problem.

There are a few places where untrusted information could cause problems.
There's a bug in the configuration file parser that might result in an
LHS= modifying the rhs setting.
The case-insensitive comparison routine is probably called safely (with the
second argument at least as long as the first), but it looks weird.
--- hesiod-3.0.2/hesiod.c       Wed Oct  3 15:16:17 2001
+++ hesiod-3.0.2/hesiod.c       Wed Oct  3 15:33:41 2001
@@ -138,7 +138,8 @@
   const char *rhs;
   int len;
        
-  strcpy(bindname, name);
+  strncpy(bindname, name, sizeof(bindname) - 1);
+  bindname[sizeof(bindname) - 1] = 0;
 
   /* Find the right right hand side to use, possibly truncating bindname. */
   p = strchr(bindname, '@');
@@ -288,7 +289,7 @@
 
       if (cistrcmp(key, "lhs") == 0 || cistrcmp(key, "rhs") == 0)
        {
-         which = (strcmp(key, "lhs") == 0) ? &ctx->lhs : &ctx->rhs;
+         which = (cistrcmp(key, "lhs") == 0) ? &ctx->lhs : &ctx->rhs;
          *which = malloc(strlen(data) + 1);
          if (!*which)
            {
@@ -462,7 +463,7 @@
 
 static int cistrcmp(const char *s1, const char *s2)
 {
-  while (*s1 && tolower(*s1) == tolower(*s2))
+  while (*s1 && *s2 && tolower(*s1) == tolower(*s2))
     {
       s1++;
       s2++;
--- hesiod-3.0.2/hespwnam.c     Wed Oct  3 15:29:40 2001
+++ hesiod-3.0.2/hespwnam.c     Wed Oct  3 15:29:43 2001
@@ -39,9 +39,16 @@
 
 struct passwd *hesiod_getpwuid(void *context, uid_t uid)
 {
-  char uidstr[16];
+  char uidstr[32];
 
-  sprintf(uidstr, "%d", uid);
-  return getpwcommon(context, uidstr, 1);
+  if (snprintf(uidstr, sizeof(uidstr), "%ld", (long)uid) < sizeof(uidstr))
+    {
+      return getpwcommon(context, uidstr, 1);
+    }
+  else
+    {
+      errno = ERANGE;
+      return NULL;
+    }
 }
 
--- hesiod-3.0.2/hesservbyname.c        Wed Oct  3 15:33:25 2001
+++ hesiod-3.0.2/hesservbyname.c        Wed Oct  3 15:33:22 2001
@@ -188,7 +188,7 @@
 
 static int cistrcmp(const char *s1, const char *s2)
 {
-  while (*s1 && tolower(*s1) == tolower(*s2))
+  while (*s1 && *s2 && tolower(*s1) == tolower(*s2))
     {
       s1++;
       s2++;

Current thread:

Hesiod security KF (Jun 06)
- Re: Hesiod security KF (Jun 06)
  - Re: Hesiod security Matt Power (Jun 06)
    - Re: Hesiod security KF (Jun 07)