Debian Bug report logs -
#44552
AMD has buffer overflows
Reported by: Daniel Jacobowitz <dan@debian.org>
Date: Tue, 7 Sep 1999 22:18:26 UTC
Severity: important
Fixed in version amd/upl102-29
Done: Roman Hodek <Roman.Hodek@informatik.uni-erlangen.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Roman Hodek <Roman.Hodek@informatik.uni-erlangen.de>
:
Bug#44552
; Package amd
.
(full text, mbox, link).
Acknowledgement sent to Daniel Jacobowitz <dan@debian.org>
:
New bug report received and forwarded. Copy sent to Roman Hodek <Roman.Hodek@informatik.uni-erlangen.de>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: amd
Version: N/A; reported 1999-09-07
Severity: important
Our (outdated, according to redhat) amd also has the same security issues.
Here's a patch.
-- System Information
Debian Release: 2.0
Architecture: powerpc
Kernel: Linux drow.res.cmu.edu 2.3.10 #20 Tue Aug 17 13:54:15 EDT 1999 ppc
diff -uNr amd-upl102/amd/host_ops.c ../amd-upl102/amd/host_ops.c
--- amd-upl102/amd/host_ops.c Tue Sep 7 17:50:20 1999
+++ ../amd-upl102/amd/host_ops.c Tue Sep 7 17:40:20 1999
@@ -90,21 +90,22 @@
* entire PC disk to be mounted.
* Added by Mike Mitchell, mcm@unx.sas.com, 09/08/93
*/
-#define MAKE_MNTPT(mntpt, ex, mf) \
+#define MAKE_MNTPT(mntpt, ex, mf, len) \
{ \
if ((ex)->ex_dir[0] == '/') { \
if ((ex)->ex_dir[1] == 0) \
- strcpy((mntpt), (mf)->mf_mount); \
+ strncpy((mntpt), (mf)->mf_mount, len-1); \
else \
- sprintf((mntpt), "%s%s", (mf)->mf_mount, (ex)->ex_dir); \
+ snprintf((mntpt), len-1, "%s%s", (mf)->mf_mount, (ex)->ex_dir); \
} else if ((ex)->ex_dir[0] >= 'a' && \
(ex)->ex_dir[0] <= 'z' && \
(ex)->ex_dir[1] == ':' && \
(ex)->ex_dir[2] == '/' && \
(ex)->ex_dir[3] == 0) \
- sprintf((mntpt), "%s/%c%%", (mf)->mf_mount, (ex)->ex_dir[0]); \
+ snprintf((mntpt), len-1, "%s/%c%%", (mf)->mf_mount, (ex)->ex_dir[0]); \
else \
- sprintf((mntpt), "%s/%s", (mf)->mf_mount, (ex)->ex_dir); \
+ snprintf((mntpt), len-1, "%s/%s", (mf)->mf_mount, (ex)->ex_dir); \
+ (mntpt)[len - 1] = '\0'; \
}
@@ -606,7 +607,7 @@
*/
ep = (exports *) xmalloc(n_export * sizeof(exports));
for (j = 0, ex = exlist; ex; ex = ex->ex_next) {
- MAKE_MNTPT(mntpt, ex, mf);
+ MAKE_MNTPT(mntpt, ex, mf, sizeof(mntpt));
if (!already_mounted(mlist, mntpt))
ep[j++] = ex;
else
@@ -666,7 +667,7 @@
ex = ep[j];
if (ex) {
strcpy(rfs_dir, ex->ex_dir);
- MAKE_MNTPT(mntpt, ex, mf);
+ MAKE_MNTPT(mntpt, ex, mf, sizeof(mntpt));
if (do_mount(&fp[j], mntpt, fs_name, mf->mf_mopts, mf) == 0)
ok = TRUE;
}
diff -uNr amd-upl102/amd/xutil.c ../amd-upl102/amd/xutil.c
--- amd-upl102/amd/xutil.c Tue Sep 7 17:50:20 1999
+++ ../amd-upl102/amd/xutil.c Tue Sep 7 17:37:19 1999
@@ -178,12 +178,14 @@
* with the current error code take from errno.
*/
INLINE
-static void expand_error(f, e)
+static void expand_error(f, e, buf_size)
char *f;
char *e;
+int buf_size;
{
extern int sys_nerr;
char *p;
+ int len = 0;
int error = errno;
#if __GLIBC__ >= 2 && (defined(__USE_BSD) || defined(__USE_GNU))
/* sys_errlist defined in <stdio.h> */
@@ -192,8 +194,11 @@
#else
extern char *sys_errlist[];
#endif
+ /* Make sure it is terminated. */
+ e[buf_size - 1] = 0;
+ buf_size--;
- for (p = f; (*e = *p); e++, p++) {
+ for (p = f; (e[len] = *p) && len < buf_size; ) {
if (p[0] == '%' && p[1] == 'm') {
char *errstr;
if (error < 0 || error >= sys_nerr)
@@ -201,11 +206,14 @@
else
errstr = sys_errlist[error];
if (errstr)
- strcpy(e, errstr);
+ strncpy(e + len, errstr, buf_size - len);
else
- sprintf(e, "Error %d", error);
- e += strlen(e) - 1;
+ snprintf(e + len, buf_size - len, "Error %d", error);
+ len += strlen(e);
+ p += 2;
+ } else {
p++;
+ len++;
}
}
}
@@ -280,7 +288,7 @@
checkup_mem();
#endif /* DEBUG_MEM */
- expand_error(fmt, efmt);
+ expand_error(fmt, efmt, sizeof(efmt));
sprintf(ptr, efmt, j,s,_,p,e,n,d,r,y);
ptr += strlen(ptr);
if (ptr[-1] == '\n')
Reply sent to Roman Hodek <Roman.Hodek@informatik.uni-erlangen.de>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Daniel Jacobowitz <dan@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 44552-close@bugs.debian.org (full text, mbox, reply):
We believe that the bug you reported is fixed in the latest version of
amd, which has been installed in the Debian FTP archive:
amd_upl102-29_m68k.deb
to dists/potato/main/binary-m68k/net/amd_upl102-29.deb
replacing amd_upl102-28.deb
amd_upl102-29.diff.gz
to dists/potato/main/source/net/amd_upl102-29.diff.gz
replacing amd_upl102-28.diff.gz
amd_upl102-29.dsc
to dists/potato/main/source/net/amd_upl102-29.dsc
replacing amd_upl102-28.dsc
amd_upl102-29_i386.deb
to dists/potato/main/binary-i386/net/amd_upl102-29.deb
replacing amd_upl102-28.deb
Note that this package is not part of the released stable Debian
distribution. It may have dependencies on other unreleased software,
or other instabilities. Please take care if you wish to install it.
The update will eventually make its way into the next released Debian
distribution.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 44552@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roman Hodek <Roman.Hodek@informatik.uni-erlangen.de> (supplier of updated amd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Format: 1.6
Date: Tue, 14 Sep 1999 15:48:20 +0200
Source: amd
Binary: amd
Architecture: source i386 m68k
Version: upl102-29
Distribution: unstable
Urgency: high
Maintainer: Roman Hodek <Roman.Hodek@informatik.uni-erlangen.de>
Description:
amd - The 4.4BSD automounter.
Closes: 44552
Changes:
amd (upl102-29) unstable; urgency=HIGH
.
* Applied patch by Dan <dan@debian.org> for buffer overflows (Closes: #44552)
* Converted to FHS (/usr/share/{doc,man,info}) with new debhelper.
* Removed bashisms from debian/rules.
Files:
c30b7a03265b6404785b1f37c4e650e8 628 net extra amd_upl102-29.dsc
bc4cbb4b39992da377bf92e1a39262cf 39646 net extra amd_upl102-29.diff.gz
35423b31a92d9b2d258780053ae65100 405354 net extra amd_upl102-29_i386.deb
1b273e9b96cdc5f96297b3aa83bef5d0 404686 net extra amd_upl102-29_m68k.deb
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
iQCVAwUBN95cHHVhJ0HiWnvJAQHDbAP+KGb+fmmwUEYz1SZvrNMCB/WpZwOdArKV
/FxStFEgeXauj62WvBYMS8LbFGkh/+9t++k4zesAmFL4PiaflFxSBX0yF6GODXl0
Fih5JDoGYLeRe1OSQewUfLB/sICZHBgq8Hyf9cr+VBwRPQWjNILogeDdnuK//sp/
zKeFoBKGPzs=
=SmZ9
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Apr 19 19:49:40 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.