Debian Bug report logs - #44552
AMD has buffer overflows

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Jacobowitz <dan@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: AMD has buffer overflows

Date: Tue, 07 Sep 1999 18:17:55 -0400

Package: amd
Version: N/A; reported 1999-09-07
Severity: important

Our (outdated, according to redhat) amd also has the same security issues. 
Here's a patch.

-- System Information
Debian Release: 2.0
Architecture: powerpc
Kernel: Linux drow.res.cmu.edu 2.3.10 #20 Tue Aug 17 13:54:15 EDT 1999 ppc

diff -uNr amd-upl102/amd/host_ops.c ../amd-upl102/amd/host_ops.c
--- amd-upl102/amd/host_ops.c	Tue Sep  7 17:50:20 1999
+++ ../amd-upl102/amd/host_ops.c	Tue Sep  7 17:40:20 1999
@@ -90,21 +90,22 @@
  * entire PC disk to be mounted.
  * Added by Mike Mitchell, mcm@unx.sas.com, 09/08/93
  */
-#define MAKE_MNTPT(mntpt, ex, mf)					      \
+#define MAKE_MNTPT(mntpt, ex, mf, len)					      \
 {									      \
 	if ((ex)->ex_dir[0] == '/') {					      \
 		if ((ex)->ex_dir[1] == 0)				      \
-			strcpy((mntpt), (mf)->mf_mount);		      \
+			strncpy((mntpt), (mf)->mf_mount, len-1);	      \
 		else							      \
-			sprintf((mntpt), "%s%s", (mf)->mf_mount, (ex)->ex_dir); \
+			snprintf((mntpt), len-1, "%s%s", (mf)->mf_mount, (ex)->ex_dir);	\
 	} else if ((ex)->ex_dir[0] >= 'a' &&				      \
 			(ex)->ex_dir[0] <= 'z' &&			      \
 			(ex)->ex_dir[1] == ':' &&			      \
 			(ex)->ex_dir[2] == '/' &&			      \
 			(ex)->ex_dir[3] == 0)				      \
-		sprintf((mntpt), "%s/%c%%", (mf)->mf_mount, (ex)->ex_dir[0]); \
+		snprintf((mntpt), len-1, "%s/%c%%", (mf)->mf_mount, (ex)->ex_dir[0]); \
 	else								      \
-		sprintf((mntpt), "%s/%s", (mf)->mf_mount, (ex)->ex_dir);      \
+		snprintf((mntpt), len-1, "%s/%s", (mf)->mf_mount, (ex)->ex_dir);      \
+	(mntpt)[len - 1] = '\0';					      \
 }
 
 
@@ -606,7 +607,7 @@
 	 */
 	ep = (exports *) xmalloc(n_export * sizeof(exports));
 	for (j = 0, ex = exlist; ex; ex = ex->ex_next) {
-		MAKE_MNTPT(mntpt, ex, mf);
+		MAKE_MNTPT(mntpt, ex, mf, sizeof(mntpt));
 		if (!already_mounted(mlist, mntpt))
 			ep[j++] = ex;
 		else
@@ -666,7 +667,7 @@
 		ex = ep[j];
 		if (ex) {
 			strcpy(rfs_dir, ex->ex_dir);
-			MAKE_MNTPT(mntpt, ex, mf);
+			MAKE_MNTPT(mntpt, ex, mf, sizeof(mntpt));
 			if (do_mount(&fp[j], mntpt, fs_name, mf->mf_mopts, mf) == 0)
 				ok = TRUE;
 		}
diff -uNr amd-upl102/amd/xutil.c ../amd-upl102/amd/xutil.c
--- amd-upl102/amd/xutil.c	Tue Sep  7 17:50:20 1999
+++ ../amd-upl102/amd/xutil.c	Tue Sep  7 17:37:19 1999
@@ -178,12 +178,14 @@
  * with the current error code take from errno.
  */
 INLINE
-static void expand_error(f, e)
+static void expand_error(f, e, buf_size)
 char *f;
 char *e;
+int buf_size;
 {
 	extern int sys_nerr;
 	char *p;
+	int len = 0;
 	int error = errno;
 #if __GLIBC__ >= 2 && (defined(__USE_BSD) || defined(__USE_GNU))
 	/* sys_errlist defined in <stdio.h> */
@@ -192,8 +194,11 @@
 #else
 	extern char *sys_errlist[];
 #endif
+	/* Make sure it is terminated. */
+	e[buf_size - 1] = 0;
+	buf_size--;
 
-	for (p = f; (*e = *p); e++, p++) {
+	for (p = f; (e[len] = *p) && len < buf_size; ) {
 		if (p[0] == '%' && p[1] == 'm') {
 			char *errstr;
 			if (error < 0 || error >= sys_nerr)
@@ -201,11 +206,14 @@
 			else
 				errstr = sys_errlist[error];
 			if (errstr)
-				strcpy(e, errstr);
+				strncpy(e + len, errstr, buf_size - len);
 			else
-				sprintf(e, "Error %d", error);
-			e += strlen(e) - 1;
+				snprintf(e + len, buf_size - len, "Error %d", error);
+			len += strlen(e);
+			p += 2;
+		} else {
 			p++;
+			len++;
 		}
 	}
 }
@@ -280,7 +288,7 @@
 	checkup_mem();
 #endif /* DEBUG_MEM */
 
-	expand_error(fmt, efmt);
+	expand_error(fmt, efmt, sizeof(efmt));
 	sprintf(ptr, efmt, j,s,_,p,e,n,d,r,y);
 	ptr += strlen(ptr);
 	if (ptr[-1] == '\n')

Message #10 received at 44552-close@bugs.debian.org (full text, mbox, reply):

From: Roman Hodek <Roman.Hodek@informatik.uni-erlangen.de>

To: 44552-close@bugs.debian.org

Subject: Bug#44552: fixed in amd upl102-29

Date: 14 Sep 1999 18:52:08 -0000

We believe that the bug you reported is fixed in the latest version of
amd, which has been installed in the Debian FTP archive:
amd_upl102-29_m68k.deb
  to dists/potato/main/binary-m68k/net/amd_upl102-29.deb
  replacing amd_upl102-28.deb
amd_upl102-29.diff.gz
  to dists/potato/main/source/net/amd_upl102-29.diff.gz
  replacing amd_upl102-28.diff.gz
amd_upl102-29.dsc
  to dists/potato/main/source/net/amd_upl102-29.dsc
  replacing amd_upl102-28.dsc
amd_upl102-29_i386.deb
  to dists/potato/main/binary-i386/net/amd_upl102-29.deb
  replacing amd_upl102-28.deb

Note that this package is not part of the released stable Debian
distribution.  It may have dependencies on other unreleased software,
or other instabilities.  Please take care if you wish to install it.
The update will eventually make its way into the next released Debian
distribution.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 44552@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roman Hodek <Roman.Hodek@informatik.uni-erlangen.de> (supplier of updated amd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----

Format: 1.6
Date: Tue, 14 Sep 1999 15:48:20 +0200
Source: amd
Binary: amd
Architecture: source i386 m68k
Version: upl102-29
Distribution: unstable
Urgency: high
Maintainer: Roman Hodek <Roman.Hodek@informatik.uni-erlangen.de>
Description: 
 amd        - The 4.4BSD automounter.
Closes: 44552
Changes: 
 amd (upl102-29) unstable; urgency=HIGH
 .
   * Applied patch by Dan <dan@debian.org> for buffer overflows (Closes: #44552)
   * Converted to FHS (/usr/share/{doc,man,info}) with new debhelper.
   * Removed bashisms from debian/rules.
Files: 
 c30b7a03265b6404785b1f37c4e650e8 628 net extra amd_upl102-29.dsc
 bc4cbb4b39992da377bf92e1a39262cf 39646 net extra amd_upl102-29.diff.gz
 35423b31a92d9b2d258780053ae65100 405354 net extra amd_upl102-29_i386.deb
 1b273e9b96cdc5f96297b3aa83bef5d0 404686 net extra amd_upl102-29_m68k.deb


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1

iQCVAwUBN95cHHVhJ0HiWnvJAQHDbAP+KGb+fmmwUEYz1SZvrNMCB/WpZwOdArKV
/FxStFEgeXauj62WvBYMS8LbFGkh/+9t++k4zesAmFL4PiaflFxSBX0yF6GODXl0
Fih5JDoGYLeRe1OSQewUfLB/sICZHBgq8Hyf9cr+VBwRPQWjNILogeDdnuK//sp/
zKeFoBKGPzs=
=SmZ9
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.