From proff@profane.iq.org  Sat Jan 25 07:06:27 1997
Received: from profane.iq.org (profane.iq.org [203.4.184.217])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA04705;
          Sat, 25 Jan 1997 07:06:08 -0800 (PST)
Received: (from proff@localhost)
          by profane.iq.org (8.8.4/8.8.2) id CAA12590;
          Sun, 26 Jan 1997 02:06:27 +1100 (EST)
Message-Id: <199701251506.CAA12590@profane.iq.org>
Date: Sun, 26 Jan 1997 02:06:27 +1100 (EST)
From: Julian Assange <proff@iq.org>
Reply-To: proff@iq.org
To: FreeBSD-gnats-submit@freebsd.org, dyson@freebsd.org
Subject: security hole in glob.c
X-Send-Pr-Version: 3.2

>Number:         2580
>Category:       bin
>Synopsis:       security hole in glob.c
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    imp
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 25 07:10:00 PST 1997
>Closed-Date:    Sun Mar 23 16:32:00 MST 1997
>Last-Modified:  Sun Mar 23 16:32:33 MST 1997
>Originator:     Julian Assange
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
>Environment:

	

>Description:

	the libc routine glob() calls globtilde() to expand ~.
	globtilde() will copy $HOME to the pattern buf without
	any bounds checking(!)

	

>How-To-Repeat:

	

>Fix:
	
	


--- src/lib/libc/gen/glob.c	Thu Oct 31 15:32:27 1996
+++ src/lib/libc/gen/glob.c.new	Sun Jan 26 01:53:07 1997
@@ -142,7 +142,7 @@
 static int	 glob2 __P((Char *, Char *, Char *, glob_t *));
 static int	 glob3 __P((Char *, Char *, Char *, Char *, glob_t *));
 static int	 globextend __P((const Char *, glob_t *));
-static const Char *	 globtilde __P((const Char *, Char *, glob_t *));
+static const Char *	 globtilde __P((const Char *, Char *, int, glob_t *));
 static int	 globexp1 __P((const Char *, glob_t *));
 static int	 globexp2 __P((const Char *, const Char *, glob_t *, int *));
 static int	 match __P((Char *, Char *, Char *));
@@ -332,21 +332,23 @@
  * expand tilde from the passwd file.
  */
 static const Char *
-globtilde(pattern, patbuf, pglob)
+globtilde(pattern, patbuf, len, pglob)
 	const Char *pattern;
 	Char *patbuf;
+	int len;
 	glob_t *pglob;
 {
 	struct passwd *pwd;
 	char *h;
 	const Char *p;
 	Char *b;
+	int l;
 
 	if (*pattern != TILDE || !(pglob->gl_flags & GLOB_TILDE))
 		return pattern;
 
 	/* Copy up to the end of the string or / */
-	for (p = pattern + 1, h = (char *) patbuf; *p && *p != SLASH;
+	for (l = len, p = pattern + 1, h = (char *) patbuf; *p && *p != SLASH && l-- >0;
 	     *h++ = *p++)
 		continue;
 
@@ -375,11 +377,11 @@
 	}
 
 	/* Copy the home directory */
-	for (b = patbuf; *h; *b++ = *h++)
+	for (l = len, b = patbuf; *h && l-- >0; *b++ = *h++)
 		continue;
 
 	/* Append the rest of the pattern */
-	while ((*b++ = *p++) != EOS)
+	while (l-- >0 && (*b++ = *p++) != EOS)
 		continue;
 
 	return patbuf;
@@ -402,7 +404,7 @@
 	int c, err, oldpathc;
 	Char *bufnext, patbuf[MAXPATHLEN+1];
 
-	qpatnext = globtilde(pattern, patbuf, pglob);
+	qpatnext = globtilde(pattern, patbuf, sizeof patbuf, pglob);
 	oldpathc = pglob->gl_pathc;
 	bufnext = patbuf;
 
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: mpp 
Responsible-Changed-When: Sat Jan 25 23:09:58 PST 1997 
Responsible-Changed-Why:  
Misfiled PR. 
Responsible-Changed-From-To: freebsd-bugs->freebsd-bugs 
Responsible-Changed-By: fenner 
Responsible-Changed-When: Mon Jan 27 10:31:52 PST 1997 
Responsible-Changed-Why:  
It didn't. 
Responsible-Changed-From-To: freebsd-bugs->imp 
Responsible-Changed-By: imp 
Responsible-Changed-When: Sat Feb 8 23:40:19 MST 1997 
Responsible-Changed-Why:  
It's on my list now. 
State-Changed-From-To: open->closed 
State-Changed-By: imp 
State-Changed-When: Sun Mar 23 16:32:00 MST 1997 
State-Changed-Why:  

Fixed in 1.7 of glob.c by a similar, but different, patch. 
>Unformatted:
