From koya@math.yokohama-cu.ac.jp Wed Sep  1 20:40:36 1999
Return-Path: <koya@math.yokohama-cu.ac.jp>
Received: from mgate10.so-net.ne.jp (mgate10.so-net.ne.jp [210.139.254.157])
	by hub.freebsd.org (Postfix) with ESMTP id 72388155D6
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  1 Sep 1999 20:40:33 -0700 (PDT)
	(envelope-from koya@math.yokohama-cu.ac.jp)
Received: from mail.jf6.so-net.ne.jp (mail.jf6.so-net.ne.jp [210.139.254.86])
	by mgate10.so-net.ne.jp (8.9.2/3.7W99081619) with ESMTP id MAA10793;
	Thu, 2 Sep 1999 12:40:21 +0900 (JST)
Received: from localhost (p84ea7a.ykh2.ap.so-net.ne.jp [210.132.234.122])
	by mail.jf6.so-net.ne.jp (8.8.8+3.0Wbeta9/3.7W99081617) with ESMTP id MAA10426;
	Thu, 2 Sep 1999 12:40:18 +0900 (JST)
Message-Id: <19990902125011W.koya@math.yokohama-cu.ac.jp>
Date: Thu, 02 Sep 1999 12:50:11 +0900
From: Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp>
Sender: Yoshihiro Koya <koya@math.yokohama-cu.ac.jp>
Reply-To: koya@math.yokohama-cu.ac.jp
To: FreeBSD-gnats-submit@freebsd.org
Cc: koya@math.yokohama-cu.ac.jp
Subject: Finger bug: possible stack overflow
X-Send-Pr-Version: 3.2

>Number:         13535
>Category:       bin
>Synopsis:       A scurity bug of finger
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep  1 20:50:01 PDT 1999
>Closed-Date:    Thu Sep 2 11:26:43 PDT 1999
>Last-Modified:  Tue Nov 27 18:31:07 PST 2001
>Originator:     Yoshihiro Koya
>Release:        FreeBSD 2.2.8-RELEASE i386
>Organization:
>Environment:

Finger of "Id: finger.c,v 1.9.2.3 1998/03/08 09:08:00 jkh Exp"

(However, the source in the current CVS repository has a similar
problem. The ALL version of finger might have same problem.)

>Description:

When the finger program prints user information of a system, it refers
the gecos field of passwd database.  The length of the gecos field may
be allowed up to 2048 bytes. On the other hand, almost all buffer of
the finger program has only 1024 bytes.

The "amphersand problem" of finger in the current CVS repository has
been already fixed.  However, even it has the problem described above.

>How-To-Repeat:

By using chpass programm, change the gecos field of a some user as
follows:

  >#Changing user database information for someuser
  >Shell: /bin/csh
  >Full Name: xxxxxxxxxxxxxxxxx... ( put here 1500 times x, for example )
  >Location:
  >Office Phone:
  >Home Phone:
  >Other information:

and, type

  host% finger root

or 

  host% finger root@localhost 

if fingerd is available on your system.  Then, the finger will catch
signal 10 or 11.

In the latter, it's also possible to execute any commands by using
this under the privilege of "nobody" (It's dangerous under the system
running squid).

>Fix:
	
Apply the patch below:

----------------------------------------------------------------------
diff -c /usr/src/usr.bin/finger/extern.h /home/koya/labo/finger/extern.h
*** /usr/src/usr.bin/finger/extern.h	Thu Jul  3 16:12:37 1997
--- /home/koya/labo/finger/extern.h	Thu Sep  2 12:15:18 1999
***************
*** 33,39 ****
   *	@(#)extern.h	8.1 (Berkeley) 6/6/93
   */
  
! extern char tbuf[1024];			/* Temp buffer for anybody. */
  extern int entries;			/* Number of people. */
  extern DB *db;				/* Database. */
  
--- 33,39 ----
   *	@(#)extern.h	8.1 (Berkeley) 6/6/93
   */
  
! extern char tbuf[LINE_MAX];		/* Temp buffer for anybody. */
  extern int entries;			/* Number of people. */
  extern DB *db;				/* Database. */
  
diff -c /usr/src/usr.bin/finger/finger.c /home/koya/labo/finger/finger.c
*** /usr/src/usr.bin/finger/finger.c	Sun Mar  8 18:08:00 1998
--- /home/koya/labo/finger/finger.c	Thu Sep  2 12:15:40 1999
***************
*** 94,100 ****
  DB *db;
  time_t now;
  int entries, lflag, mflag, pplan, sflag, oflag, Tflag;
! char tbuf[1024];
  
  static void loginlist __P((void));
  static void usage __P((void));
--- 94,100 ----
  DB *db;
  time_t now;
  int entries, lflag, mflag, pplan, sflag, oflag, Tflag;
! char tbuf[LINE_MAX];
  
  static void loginlist __P((void));
  static void usage __P((void));

diff -c /usr/src/usr.bin/finger/util.c /home/koya/labo/finger/util.c
*** /usr/src/usr.bin/finger/util.c	Sun Mar  8 18:08:20 1998
--- /home/koya/labo/finger/util.c	Thu Sep  2 12:14:59 1999
***************
*** 70,76 ****
  	char *user;
  {
  	register char *p, *t;
! 	char name[1024];
  
  	if (!strcasecmp(pw->pw_name, user))
  		return(1);
--- 70,76 ----
  	char *user;
  {
  	register char *p, *t;
! 	char name[LINE_MAX];
  
  	if (!strcasecmp(pw->pw_name, user))
  		return(1);
***************
*** 335,341 ****
  	register struct passwd *pw;
  {
  	register char *p, *t;
! 	char *bp, name[1024];
  	struct stat sb;
  
  	pn->realname = pn->office = pn->officephone = pn->homephone = NULL;
--- 335,341 ----
  	register struct passwd *pw;
  {
  	register char *p, *t;
! 	char *bp, name[LINE_MAX];
  	struct stat sb;
  
  	pn->realname = pn->office = pn->officephone = pn->homephone = NULL;

----------------------------------------------------------------------

>Release-Note:
>Audit-Trail:

From: Bill Fumerola <billf@jade.chc-chimes.com>
To: koya@math.yokohama-cu.ac.jp
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/13535: Finger bug: possible stack overflow
Date: Wed, 1 Sep 1999 23:25:04 -0400 (EDT)

 On Thu, 2 Sep 1999, Yoshihiro Koya wrote:
 
 > By using chpass programm, change the gecos field of a some user as
 > follows:
 > 
 >   >#Changing user database information for someuser
 >   >Shell: /bin/csh
 >   >Full Name: xxxxxxxxxxxxxxxxx... ( put here 1500 times x, for example )
 >   >Location:
 >   >Office Phone:
 >   >Home Phone:
 >   >Other information:
 
 This makes NIS ignore you as a user because it crashes mknetid. Neat.
 
 -- 
 - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp -
 - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org  -
 
 
 
 
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: koya@math.yokohama-cu.ac.jp
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/13535: Finger bug: possible stack overflow 
Date: Thu, 02 Sep 1999 12:49:31 +0200

 On Thu, 02 Sep 1999 12:50:11 +0900, Yoshihiro Koya wrote:
 
 > Apply the patch below:
 
 What is your patch supposed to do? It only doubles the size of a buffer
 which we _always_ seem to do bounded manipulation on. Can you spot
 anything in the finger source that fiddles with tput without checking
 its size and termination? _That_ would make for a proper fix.
 
 Ciao,
 Sheldon.
 

From: Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp>
To: sheldonh@uunet.co.za
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/13535: Finger bug: possible stack overflow 
Date: Thu, 02 Sep 1999 20:13:13 +0900

 From: Sheldon Hearn <sheldonh@uunet.co.za>
 Subject: Re: bin/13535: Finger bug: possible stack overflow 
 Date: Thu, 02 Sep 1999 12:49:31 +0200
 
 > On Thu, 02 Sep 1999 12:50:11 +0900, Yoshihiro Koya wrote:
 > 
 > > Apply the patch below:
 > 
 > What is your patch supposed to do? It only doubles the size of a buffer
 > which we _always_ seem to do bounded manipulation on. Can you spot
 > anything in the finger source that fiddles with tput without checking
 > its size and termination? _That_ would make for a proper fix.
 > 
 
 I checked the source code of chpass ( /usr/src/usr.bin/chpass/edit.c ).
 I found there the chpass program assumes that the length of gecos is
 less than ABOUT 2048 bytes. This is the reason why I put LINE_MAX there.
 
 About the manupulation on bound, you are right. I only paid my
 attention to the size of buffer.  As you said, the current version of
 the source code in the CVS repository has no problem. Sorry for my
 misunderstanding.
 
 koya
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/13535: Finger bug: possible stack overflow 
Date: Thu, 02 Sep 1999 13:48:13 +0200

 On Thu, 02 Sep 1999 20:13:13 +0900, Yoshihiro Koya wrote:
 
 > About the manupulation on bound, you are right. I only paid my
 > attention to the size of buffer.  As you said, the current version of
 > the source code in the CVS repository has no problem. Sorry for my
 > misunderstanding.
 
 No problem. :-)
 
 So are you happy with me closing your PR, or is there a real problem
 that needs to be addressed? (I haven't looked into the problem, I just
 scanned the finger source for its use of the buffer).
 
 Ciao,
 Sheldon.
 

From: Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp>
To: sheldonh@uunet.co.za
Cc: Yoshihiro.Koya@math.yokohama-cu.ac.jp,
	FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/13535: Finger bug: possible stack overflow 
Date: Thu, 02 Sep 1999 22:02:20 +0900

 From: Sheldon Hearn <sheldonh@uunet.co.za>
 Subject: Re: bin/13535: Finger bug: possible stack overflow 
 Date: Thu, 02 Sep 1999 13:48:13 +0200
 
 > So are you happy with me closing your PR, or is there a real problem
 > that needs to be addressed? (I haven't looked into the problem, I just
 > scanned the finger source for its use of the buffer).
 
 There might be no probelm, I think.  I quite agree. Thank you very
 much for your kind messages. 
 
 koya
 
 
State-Changed-From-To: open->closed 
State-Changed-By: sheldonh 
State-Changed-When: Thu Sep 2 11:26:43 PDT 1999 
State-Changed-Why:  
Committed to the RELENG_2_2 branch as rev 1.3.6.3 of util.c, with  
imp's permission. 
>Unformatted:
