From nobody  Sun Oct 27 08:22:36 1996
Received: (from nobody@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id IAA29355;
          Sun, 27 Oct 1996 08:22:36 -0800 (PST)
Message-Id: <199610271622.IAA29355@freefall.freebsd.org>
Date: Sun, 27 Oct 1996 08:22:36 -0800 (PST)
From: tqbf@enteract.com
To: freebsd-gnats-submit@freebsd.org
Subject: There's a buffer overflow in FreeBSD libc glob()
X-Send-Pr-Version: www-1.0

>Number:         1905
>Category:       bin
>Synopsis:       There's a buffer overflow in FreeBSD libc glob()
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 27 08:30:02 PST 1996
>Closed-Date:    Wed Feb 5 22:26:31 PST 1997
>Last-Modified:  Wed Feb  5 22:27:08 PST 1997
>Originator:     Thomas Ptacek
>Release:        FreeBSD 2.1.5-RELEASE
>Organization:
EnterAct, L.L.C.
>Environment:
FreeBSD adam 2.1-STABLE FreeBSD 2.1-STABLE #0: Mon Sep  9 03:07:45 CDT 1996
tqbf@adam:/home1/src/sys/compile/ADAMSTOMP  i386
>Description:
glob0() calls globtilde() immediately, passing it a pointer to 
an array in glob0's stack frame. globtilde() will copy the 
contents of the HOME environment variable over this pointer without
bounds checking.
>How-To-Repeat:

>Fix:

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: mpp 
State-Changed-When: Wed Feb 5 22:26:31 PST 1997 
State-Changed-Why:  
Duplicate of PR# 2580 (which supplies code to fix the 
problem). 
>Unformatted:
