From venglin@freebsd.lublin.pl  Fri Feb  2 15:30:48 2001
Return-Path: <venglin@freebsd.lublin.pl>
Received: from yeti.ismedia.pl (yeti.ismedia.pl [212.182.96.18])
	by hub.freebsd.org (Postfix) with SMTP id 0972637B491
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  2 Feb 2001 15:30:39 -0800 (PST)
Received: (qmail 49219 invoked from network); 2 Feb 2001 23:32:34 -0000
Received: from unknown (HELO lagoon.freebsd.lublin.pl) (212.182.115.11)
  by 0 with SMTP; 2 Feb 2001 23:32:34 -0000
Received: (qmail 70070 invoked from network); 2 Feb 2001 23:28:35 -0000
Received: from unknown (HELO riget.scene.pl) ()
  by 0 with SMTP; 2 Feb 2001 23:28:35 -0000
Received: (qmail 70066 invoked by uid 1001); 2 Feb 2001 23:28:35 -0000
Message-Id: <20010202232835.70065.qmail@riget.scene.pl>
Date: 2 Feb 2001 23:28:35 -0000
From: venglin@freebsd.lublin.pl
Reply-To: venglin@freebsd.lublin.pl
To: FreeBSD-gnats-submit@freebsd.org
Subject: kerberosIV and heimdal ftpd is vulnerable to buffer overflow
X-Send-Pr-Version: 3.2

>Number:         24810
>Category:       bin
>Synopsis:       kerberosIV and heimdal ftpd is vulnerable to buffer overflow
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 02 15:40:00 PST 2001
>Closed-Date:    Sun Sep 2 16:29:18 PDT 2001
>Last-Modified:  Sun Sep 02 16:29:38 PDT 2001
>Originator:     Przemyslaw Frasunek
>Release:        FreeBSD 4.2-STABLE i386
>Organization:
ISMEDIA
>Environment:

	FreeBSD 4.2-STABLE as of 3 Feb 2001.

>Description:

	KTH Kerberos5 and KerberosIV ftpd is vulnerable to strtok() based
	stack overflow.

>How-To-Repeat:

	N/A

>Fix:

--- crypto/heimdal/appl/ftp/ftpd/popen.c.orig	Sat Feb  3 00:20:07 2001
+++ crypto/heimdal/appl/ftp/ftpd/popen.c	Sat Feb  3 00:23:10 2001
@@ -66,6 +66,9 @@
 
 #include <roken.h>
 
+#define MAXUSRARGS	100
+#define MAXGLOBARGS	1000
+
 /* 
  * Special version of popen which avoids call to shell.  This ensures
  * no one may create a pipe to a hidden program as a side effect of a
@@ -103,7 +106,7 @@
 	char *cp;
 	FILE *iop;
 	int argc, gargc, pdes[2], pid;
-	char **pop, *argv[100], *gargv[1000];
+	char **pop, *argv[MAXUSRARGS], *gargv[MAXGLOBARGS];
 	char *foo;
 
 	if (strcmp(type, "r") && strcmp(type, "w"))
@@ -126,14 +129,14 @@
 
 	/* break up string into pieces */
 	foo = NULL;
-	for (argc = 0, cp = program;; cp = NULL) {
+	for (argc = 0, cp = program; argc < MAXUSRARGS; cp = NULL) {
 		if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))
 			break;
 	}
 
 	gargv[0] = (char*)ftp_rooted(argv[0]);
 	/* glob each piece */
-	for (gargc = argc = 1; argv[argc]; argc++) {
+	for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
 		glob_t gl;
 		int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
 
@@ -141,7 +144,7 @@
 		if (no_glob || glob(argv[argc], flags, NULL, &gl))
 			gargv[gargc++] = strdup(argv[argc]);
 		else
-			for (pop = gl.gl_pathv; *pop; pop++)
+			for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1); pop++)
 				gargv[gargc++] = strdup(*pop);
 		globfree(&gl);
 	}
--- crypto/kerberosIV/appl/ftp/ftpd/popen.c.orig	Sat Feb  3 00:26:04 2001
+++ crypto/kerberosIV/appl/ftp/ftpd/popen.c		Sat Feb  3 00:24:25 2001
@@ -66,6 +66,9 @@
 
 #include <roken.h>
 
+#define MAXUSRARGS	100
+#define MAXGLOBARGS	1000
+
 /* 
  * Special version of popen which avoids call to shell.  This ensures
  * no one may create a pipe to a hidden program as a side effect of a
@@ -103,7 +106,7 @@
 	char *cp;
 	FILE *iop;
 	int argc, gargc, pdes[2], pid;
-	char **pop, *argv[100], *gargv[1000];
+	char **pop, *argv[MAXUSRARGS], *gargv[MAXGLOBARGS];
 	char *foo;
 
 	if (strcmp(type, "r") && strcmp(type, "w"))
@@ -126,14 +129,14 @@
 
 	/* break up string into pieces */
 	foo = NULL;
-	for (argc = 0, cp = program;; cp = NULL) {
+	for (argc = 0, cp = program; argc < MAXUSRARGS; cp = NULL) {
 		if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))
 			break;
 	}
 
 	gargv[0] = (char*)ftp_rooted(argv[0]);
 	/* glob each piece */
-	for (gargc = argc = 1; argv[argc]; argc++) {
+	for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
 		glob_t gl;
 		int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
 
@@ -141,7 +144,7 @@
 		if (no_glob || glob(argv[argc], flags, NULL, &gl))
 			gargv[gargc++] = strdup(argv[argc]);
 		else
-			for (pop = gl.gl_pathv; *pop; pop++)
+			for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1); pop++)
 				gargv[gargc++] = strdup(*pop);
 		globfree(&gl);
 	}

>Release-Note:
>Audit-Trail:

From: Kris Kennaway <kris@obsecurity.org>
To: venglin@freebsd.lublin.pl
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/24810: kerberosIV and heimdal ftpd is vulnerable to buffer overflow
Date: Sun, 4 Feb 2001 01:39:05 -0800

 --4Ckj6UjgE2iN1+kY
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 On Fri, Feb 02, 2001 at 11:28:35PM +0000, venglin@freebsd.lublin.pl wrote:
 
 > 	KTH Kerberos5 and KerberosIV ftpd is vulnerable to strtok() based
 > 	stack overflow.
 
 Thanks, but AFAIK we don't compile this code.
 
 Kris
 
 --4Ckj6UjgE2iN1+kY
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.4 (FreeBSD)
 Comment: For info see http://www.gnupg.org
 
 iD8DBQE6fSM5Wry0BWjoQKURAhG8AJ9nuSYfUiKWcN4w9HFPwV43FtSn6ACgug2j
 8yxlObhEEeae513sZ/J8BIs=
 =hhn3
 -----END PGP SIGNATURE-----
 
 --4Ckj6UjgE2iN1+kY--
 
State-Changed-From-To: open->closed 
State-Changed-By: jon 
State-Changed-When: Sun Sep 2 16:29:18 PDT 2001 
State-Changed-Why:  
We don't use this code, no reason to keep this open. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=24810 
>Unformatted:
