Bug#129104: bug 129104 (buffer overflow + template reading in cgiemail)

To: Thomas Smith <tgs@finbar.dyndns.org>
Cc: 129104@bugs.debian.org
Subject: Bug#129104: bug 129104 (buffer overflow + template reading in cgiemail)
From: Colin Watson <cjwatson@flatline.org.uk>
Date: Thu, 17 Jan 2002 16:42:42 +0000
Message-id: <[🔎] 20020117164242.GB25265@arborlon.riva.ucam.org>
Reply-to: Colin Watson <cjwatson@flatline.org.uk>, 129104@bugs.debian.org
In-reply-to: <[🔎] 20020116211725.GA26234@megafauna.finbar.dyndns.org>
References: <[🔎] 20020116211725.GA26234@megafauna.finbar.dyndns.org>

On Wed, Jan 16, 2002 at 04:17:25PM -0500, Thomas Smith wrote:
> I had released a new version with an almost-correct fix for the buffer
> overflow problem last night, and just looked at your mail to the bug
> this afternoon.  My fix was almost the same as yours; it used
> CGI_ERRMSG_MAX-1 instead of CGI_ERRMSG_MAX.  My next upload will use
> your correct version.

Right, that change isn't too big a deal.

> That leaves the other stuff...  the main problem is the template files,
> and I like the solution you suggested (restricting them to a specific
> directory).  The relevant code, I think, is in the
> cgi_standard_{email,echo,file} functions at the end of cgilib.c
> (beginning on line 1010).
> 
> Hmm, one problem that just occurred to me is that we can't easily make
> the location of the template files a compile-time option because people
> reconfigure their webservers to have different document roots, and the
> current design of cgiemail requires the template files to have
> PATH_TRANSLATEDs.  That means, I guess, that configuration file parsing
> might have to be added.

Yes, with the current design there really isn't any way to do it well
(including backwards compatibility), only patch it up. I suggest a
simple 'templatedir="/foo/bar/baz"' in a trusted place like
/etc/cgiemail.conf. That has the advantage that it can be parsed by the
shell, so you can easily set it with debconf and not clobber the old
setting on upgrades.

> Maybe could restrict to files with extension .CGIEMAIL_TEMPLATE.
> 
> Do you have any other ideas, or a preference between these two?

I think I prefer the directory idea: I usually prefer moving files
between directories to renaming files, somehow.

> The other issue is that it uses mkstemp() which is not very secure.  I
> don't guess that this is exploitable, but should be fixed at some point.

tmpnam(), rather - mkstemp() is fine. It's not very hard to convert from
one to the other with a bit of care, so I'll do that later.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to:

Follow-Ups:
- Bug#129104: bug 129104 (buffer overflow + template reading in cgiemail)
  - From: Thomas Smith <tgs@finbar.dyndns.org>

References:
- Bug#129104: bug 129104 (buffer overflow + template reading in cgiemail)
  - From: Thomas Smith <tgs@finbar.dyndns.org>

Prev by Date: Re: Bug#129414: psptools: try this patch -p0 on psplpr.pl.in instead of #129287
Next by Date: psptools_1.2.2-7_i386.changes INSTALLED
Previous by thread: Bug#129104: bug 129104 (buffer overflow + template reading in cgiemail)
Next by thread: Bug#129104: bug 129104 (buffer overflow + template reading in cgiemail)
Index(es):
- Date
- Thread