From proff@profane.iq.org  Sat Jan 25 07:47:16 1997
Received: from profane.iq.org (profane.iq.org [203.4.184.217])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA05763;
          Sat, 25 Jan 1997 07:46:54 -0800 (PST)
Received: (from proff@localhost)
          by profane.iq.org (8.8.4/8.8.2) id CAA12847;
          Sun, 26 Jan 1997 02:47:11 +1100 (EST)
Message-Id: <199701251547.CAA12847@profane.iq.org>
Date: Sun, 26 Jan 1997 02:47:11 +1100 (EST)
From: Julian Assange <proff@iq.org>
Reply-To: proff@iq.org
To: FreeBSD-gnats-submit@freebsd.org, dyson@freebsd.org
Subject: security holes in libtermcap
X-Send-Pr-Version: 3.2

>Number:         2581
>Category:       bin
>Synopsis:       security holes in libtermcap
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    imp
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 25 07:50:01 PST 1997
>Closed-Date:    Tue Oct 14 12:33:13 MDT 1997
>Last-Modified:  Tue Oct 14 12:33:30 MDT 1997
>Originator:     Julian Assange
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
>Environment:

	

>Description:

	exploitable buffer overflow (via $HOME). almost certainly others on
	$TERMCAP and user-defined termcap file parsing.

	In addition, buffers are not cleared so setuid programs that change
	back to user level uid, will possibly leak parts of any file

	

>How-To-Repeat:

	

>Fix:
	
	

	ignore user supplied enviroments when running with privs

--- src/lib/libtermcap/termcap.c.orig	Sun Jan 26 02:13:12 1997
+++ src/lib/libtermcap/termcap.c	Sun Jan 26 02:32:12 1997
@@ -89,31 +89,37 @@
 	pvec = pathvec;
 	tbuf = bp;
 	p = pathbuf;
-	cp = getenv("TERMCAP");
-	/*
-	 * TERMCAP can have one of two things in it. It can be the
-	 * name of a file to use instead of /etc/termcap. In this
-	 * case it better start with a "/". Or it can be an entry to
-	 * use so we don't have to read the file. In this case it
-	 * has to already have the newlines crunched out.  If TERMCAP
-	 * does not hold a file name then a path of names is searched
-	 * instead.  The path is found in the TERMPATH variable, or
-	 * becomes "$HOME/.termcap /etc/termcap" if no TERMPATH exists.
-	 */
-	if (!cp || *cp != '/') {	/* no TERMCAP or it holds an entry */
-		if ( (termpath = getenv("TERMPATH")) )
-			strncpy(pathbuf, termpath, PBUFSIZ);
-		else {
-			if ( (home = getenv("HOME")) ) {/* set up default */
-				p += strlen(home);	/* path, looking in */
-				strcpy(pathbuf, home);	/* $HOME first */
-				*p++ = '/';
-			}	/* if no $HOME look in current directory */
-			strncpy(p, _PATH_DEF, PBUFSIZ - (p - pathbuf));
+	if (getuid() != geteuid() ||
+	    getgid() != getegid())
+		strcpy(p, _PATH_DEF_SEC);
+	else {
+		cp = getenv("TERMCAP");
+		/*
+		 * TERMCAP can have one of two things in it. It can be the
+		 * name of a file to use instead of /etc/termcap. In this
+		 * case it better start with a "/". Or it can be an entry to
+		 * use so we don't have to read the file. In this case it
+		 * has to already have the newlines crunched out.  If TERMCAP
+		 * does not hold a file name then a path of names is searched
+		 * instead.  The path is found in the TERMPATH variable, or
+		 * becomes "$HOME/.termcap /etc/termcap" if no TERMPATH exists.
+		 */
+		if (!cp || *cp != '/') {	/* no TERMCAP or it holds an entry */
+			if    ( (termpath = getenv("TERMPATH")) )
+				strncpy(pathbuf, termpath, PBUFSIZ);
+			else {
+				if ( (home = getenv("HOME")) &&
+				    strlen(home) < PBUFSIZ-2) {/* set up default */
+					p += strlen(home);	/* path, looking in */
+					strcpy(pathbuf, home);	/* $HOME first */
+					*p++ = '/';
+				}	/* if no $HOME look in current directory */
+				strncpy(p, _PATH_DEF, PBUFSIZ - (p - pathbuf));
+			}
 		}
+		else				/* user-defined name in TERMCAP */
+			strncpy(pathbuf, cp, PBUFSIZ);	/* still can be tokenized */
 	}
-	else				/* user-defined name in TERMCAP */
-		strncpy(pathbuf, cp, PBUFSIZ);	/* still can be tokenized */
 
 	*fname++ = pathbuf;	/* tokenize path into vector of names */
 	while (*++p)
--- src/lib/libtermcap/pathnames.h.orig	Sun Jan 26 02:29:35 1997
+++ src/lib/libtermcap/pathnames.h	Sun Jan 26 02:29:54 1997
@@ -34,3 +34,4 @@
  */
 
 #define	_PATH_DEF	".termcap /usr/share/misc/termcap"
+#define	_PATH_DEF_SEC	"/usr/share/misc/termcap"
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: mpp 
Responsible-Changed-When: Sat Jan 25 23:10:54 PST 1997 
Responsible-Changed-Why:  
Misfiled PR. 
Responsible-Changed-From-To: freebsd-bugs->freebsd-bugs 
Responsible-Changed-By: fenner 
Responsible-Changed-When: Mon Jan 27 10:31:52 PST 1997 
Responsible-Changed-Why:  
It didn't. 
Responsible-Changed-From-To: freebsd-bugs->imp 
Responsible-Changed-By: imp 
Responsible-Changed-When: Sat Feb 8 23:41:12 MST 1997 
Responsible-Changed-Why:  
It's on my list now 
State-Changed-From-To: open->closed 
State-Changed-By: imp 
State-Changed-When: Tue Oct 14 12:33:13 MDT 1997 
State-Changed-Why:  
This has been fixed. 

>Unformatted:
