From venglin@lubi.FreeBSD.lublin.pl  Tue Jan 18 11:05:34 2000
Return-Path: <venglin@lubi.FreeBSD.lublin.pl>
Received: from mx1.lublin.pl (mx1.lublin.pl [212.182.63.76])
	by hub.freebsd.org (Postfix) with ESMTP id 5B23D14EE2
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 18 Jan 2000 11:05:13 -0800 (PST)
	(envelope-from venglin@lubi.FreeBSD.lublin.pl)
Received: from lubi.freebsd.lublin.pl ([212.182.118.90]:13060 "HELO
        lubi.FreeBSD.lublin.pl") by krupik.man.lublin.pl with SMTP
	id <S3542840AbQARTEp>; Tue, 18 Jan 2000 20:04:45 +0100
Received: (qmail 1231 invoked by uid 1001); 18 Jan 2000 19:04:39 -0000
Message-Id: <20000118190439.1230.qmail@lubi.FreeBSD.lublin.pl>
Date: 18 Jan 2000 19:04:39 -0000
From: venglin@lubi.FreeBSD.lublin.pl
Reply-To: venglin@lubi.FreeBSD.lublin.pl
To: FreeBSD-gnats-submit@freebsd.org
Subject: [PATCH] Insecure use of strncpy() and strcpy() in lpr(1)
X-Send-Pr-Version: 3.2

>Number:         16186
>Category:       bin
>Synopsis:       [MFC] [PATCH] Insecure use of strncpy() and strcpy() in lpr(1)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gad@FreeBSD.org
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 18 11:10:02 PST 2000
>Closed-Date:    Wed Dec 27 09:18:05 PST 2000
>Last-Modified:  Wed Dec 27 09:18:53 PST 2000
>Originator:     Przemyslaw Frasunek
>Release:        FreeBSD 3.4-STABLE i386
>Organization:
Lublin BSD Users Group
>Environment:

FreeBSD lagoon.freebsd.lublin.pl 3.4-STABLE FreeBSD 3.4-STABLE #0: Sat Dec 18 17:37:37 CET 1999     root@:/usr/sys/compile/LAGOON  i386

>Description:

	1. Possible strcpy() buffer overflow in printjob.c:823
	2. No room for NULL termination in printjob.c:825, printjob.c:827,
	   printjob.c:836.

>How-To-Repeat:

>Fix:
	
--- printjob.c.orig	Tue Jan 18 19:34:50 2000
+++ printjob.c	Tue Jan 18 19:39:23 2000
@@ -818,24 +818,30 @@
 			i = 0;
 			while (*cp >= '0' && *cp <= '9')
 				i = i * 10 + (*cp++ - '0');
 			fino = i;
 		} else if (line[0] == 'H') {
-			strcpy(fromhost, line+1);
+			strncpy(fromhost, line+1, sizeof(fromhost) - 1);
+			fromhost[sizeof(fromhost)-1] = '\0';
 			if (class[0] == '\0')
+			{
 				strncpy(class, line+1, sizeof(class) - 1);
+				class[sizeof(class)-1] = '\0';
+			}
 		} else if (line[0] == 'P') {
 			strncpy(logname, line+1, sizeof(logname) - 1);
+			logname[sizeof(logname)-1] = '\0';
 			if (pp->restricted) { /* restricted */
 				if (getpwnam(logname) == NULL) {
 					sendmail(pp, line+1, NOACCT);
 					err = ERROR;
 					break;
 				}
 			}
 		} else if (line[0] == 'I') {
 			strncpy(indent+2, line+1, sizeof(indent) - 3);
+			indent[2+sizeof(indent)-3] = '\0';
 		} else if (line[0] >= 'a' && line[0] <= 'z') {
 			strcpy(last, line);
 			while ((i = getline(cfp)) != 0)
 				if (strcmp(last, line))
 					break;

>Release-Note:
>Audit-Trail:

From: Garance A Drosehn <gad@eclipse.acs.rpi.edu>
To: freebsd-gnats-submit@FreeBSD.org, venglin@lubi.FreeBSD.lublin.pl
Cc:  
Subject: Re: bin/16186: [PATCH] Insecure use of strncpy() and strcpy() in
 lpr(1)
Date: Mon, 24 Jan 2000 19:57:40 -0500

 In looking over printjob.c in freebsd-current, it looks like someone
 already made the changes suggested by this PR.  Those changes were
 done around Nov 30th, and they probably did not make it into the
 3.4-stable system which this PR is referencing.
 
 (maybe this should be added to 3.x branch too?  I didn't check to see
 if it's already there, I only looked at 'current')
 
 ---
 Garance Alistair Drosehn     =     gad@eclipse.acs.rpi.edu
 Senior Systems Programmer        (MIME & NeXTmail capable)
 Rensselaer Polytechnic Institute;           Troy NY    USA
 
From: Garance <gad@FreeBSD.org>
Date: Tue Nov 14 23:59:51 EST 2000

Turns out that while previous updates (from other people) had already
done some of this PR, there were two one-line fixes in here which had
not been done by anyone else yet.  So, I've added those to lpr in
freebsd-current.
 
State-Changed-From-To: open->suspended 
State-Changed-By: gad 
State-Changed-When: Tue Nov 14 20:57:48 PST 2000 
State-Changed-Why:  
Most of this patch had already been done, but two one-line fixes had not 
been.  I've added those fixes to current, and the change is awaiting MFC. 


Responsible-Changed-From-To: freebsd-bugs->gad@FreeBSD.org 
Responsible-Changed-By: gad 
Responsible-Changed-When: Tue Nov 14 20:57:48 PST 2000 
Responsible-Changed-Why:  
Because I'm trying to clean out PR's for lpr & friends. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=16186 
State-Changed-From-To: suspended->closed 
State-Changed-By: gad 
State-Changed-When: Wed Dec 27 09:18:05 PST 2000 
State-Changed-Why:  
Fix has been applied on both -current (5.x) and -stable (post 4.2) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=16186 
>Unformatted:
