Re: Bug#264846: telnet: Buffer Overrun by unchecked environment variables
On Tue, Aug 10, 2004 at 10:12:06AM -0700, Josh Martin wrote:
>
> -- no debconf information
> Although this should never actually happen, if you set your environment
> variable HOME to an extremely large string a buffer overflow will occur upon
> connecting to a server using telnet.
Urgh.. This really calls for an upload to t-p-u.
> I was not able to overwrite 'eip'
> but I have included a patch that fixes this problem.
Could you overwrite esp/ebp? Anyway, I'm CCing the security team for
assistance on the impact. I don't think it's release-critical since a
tainted HOME already implies there's a flaw somewhere.
> --- commands.orig.cc 2004-08-10 09:50:44.000000000 -0700
> +++ commands.cc 2004-08-10 09:51:07.000000000 -0700
> @@ -2148,7 +2148,7 @@
> if (rcname == 0) {
> rcname = getenv("HOME");
> if (rcname)
> - strcpy(rcbuf, rcname);
> + strncpy(rcbuf, rcname, 127);
> else
> rcbuf[0] = '\0';
> strcat(rcbuf, "/.telnetrc");
I don't like it. This keeps the 127-byte hardcoded limit. What would you
think about:
--- netkit-telnet-0.17/telnet/commands.cc~ 2004-05-19 01:56:10.000000000 +0200
+++ netkit-telnet-0.17/telnet/commands.cc 2004-08-11 21:32:02.000000000 +0200
@@ -2139,22 +2139,14 @@
}
void cmdrc(const char *m1, const char *m2, const char *port) {
- static char *rcname = 0;
- static char rcbuf[128];
+ static char *rcname;
if (skiprc) return;
readrc(m1, m2, port, "/etc/telnetrc");
- if (rcname == 0) {
- rcname = getenv("HOME");
- if (rcname)
- strcpy(rcbuf, rcname);
- else
- rcbuf[0] = '\0';
- strcat(rcbuf, "/.telnetrc");
- rcname = rcbuf;
- }
+ asprintf (&rcname, "%s/.telnetrc", getenv ("HOME"));
readrc(m1, m2, port, rcname);
+ free (rcname);
}
#if defined(IP_OPTIONS) && defined(HAS_IPPROTO_IP)
Let me know if I screwed on something, we need to be extra careful with
standard packages during the freeze..
--
Robert Millan
(Debra and Ian) (Gnu's Not (UNiplexed Information and Computing System))/\
(kernel of *(Berkeley Software Distribution))
Reply to: