[gopher] [comp.infosystems.gopher] Re: UMN gopherd exploits
FYI, if you are running UMN gopherd and have not upgraded, you may
find this useful:
-- Attached file included as plaintext by Ecartis --
Path: heinrich.complete.org!newsx!uni-berlin.de!fu-berlin.de!feed.news.nacamar.de!news100.image.dk!news010.worldonline.dk.POSTED!not-for-mail
From: "Jacob Dahl Pind" <rachael_@gmx.net>
Subject: Re: UMN gopherd exploits
References: <561.365T1050T2052494rachael_@gmx.net> <87oey9ok10.fsf@complete.org>
Message-ID: <2001.371T1100T953184rachael_@gmx.net>
Newsgroups: comp.infosystems.gopher
Lines: 70
X-Newsreader: THOR 2.6a (Amiga;TCP/IP)
Date: 29 Aug 2003 1:35:22 +0100
NNTP-Posting-Host: 213.237.16.246
X-Complaints-To: news-abuse@wol.dk
X-Trace: news010.worldonline.dk 1062113871 213.237.16.246 (Fri, 29 Aug 2003
01:37:51 MET DST)
NNTP-Posting-Date: Fri, 29 Aug 2003 01:37:51 MET DST
Organization: Customer of Tiscali A/S
Xref: heinrich.complete.org comp.infosystems.gopher:32
MIME-Version: 1.0
on 28-Aug-03 16:54:03, John Goerzen wrote:
>"Jacob Dahl Pind" <rachael_@gmx.net> writes:
>> Hello
>>
>> As it seems support for UMN gopherd has been stopped, and the two
>> lates security holes wont be fixed, I have tried to patch them.
>>
>> The small patch can be found at gopher://rachael.dyndns.org/11/gopher/
>I could not resolve that hostname. Can you post a new URL?
have included it instead.
if fixed the GSisText()/view buffer overflow , remote "ftp gateway" buffer overflow,
and do_command bufferoverflow.
It also changes some tempnam to mkstemp, but those are gnu glibc specefic.
-- UMN_gopherd_patch.txt
diff -adr misc/gopher-3.0.5/gopher-3.0.5/gopherd/ftp.c software/gopher-3.0.5/gopher-3.0.5/gopherd/ftp.c
1810,1811c1810,1811
<
< strcpy(tmpName, buf);
---
> if (strlen(buf) > 256) last=256;
> strncpy(tmpName, buf,last);
diff -adr misc/gopher-3.0.5/gopher-3.0.5/gopherd/gopherd.c software/gopher-3.0.5/gopher-3.0.5/gopherd/gopherd.c
1279,1280c1279,1280
< ASKfile = tempnam(NULL, "gdata");
< Debug("HTTP POST data is in %s\n", ASKfile);
---
> ASKfile = mkstemp("gdata");
> Debug("HTTP POST data is in %s\n", ASKfile);
1482c1482
<
---
> int authlen;
1488c1488,1491
< strcpy(cleartext, authuser);
---
> authlen = strlen(authuser);
> /* its 64 because cleartext has just been declared 64 above */
> if (authlen > 64 ) authlen = 64;
> strncpy(cleartext, authuser,authlen);
1590c1593
< ASKfile = tempnam(NULL, "gdata");
---
> ASKfile = mkstemp("gdata");
diff -adr misc/gopher-3.0.5/gopher-3.0.5/object/GSgopherobj.c software/gopher-3.0.5/gopher-3.0.5/object/GSgopherobj.c
2090c2090,2091
< {
---
> { int pos;
>
2107c2108,2112
<
---
> if (strlen(view) > 64) {
> pos = 64;
> } else {
> pos = strlen(view);
> }
regards Jacob Dahl Pind
--
CBM, Amiga,Vintage hardware collector
Email: rachael@rachael.dyndns.org
url: http://rachael.dyndns.org
Reply to: