From proff@profane.iq.org  Sat Jan 25 17:23:33 1997
Received: from profane.iq.org (profane.iq.org [203.4.184.217])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA06653;
          Sat, 25 Jan 1997 17:23:06 -0800 (PST)
Received: (from proff@localhost)
          by profane.iq.org (8.8.4/8.8.2) id MAA15151;
          Sun, 26 Jan 1997 12:23:24 +1100 (EST)
Message-Id: <199701260123.MAA15151@profane.iq.org>
Date: Sun, 26 Jan 1997 12:23:24 +1100 (EST)
From: Julian Assange <proff@iq.org>
Reply-To: proff@iq.org
To: FreeBSD-gnats-submit@freebsd.org, dyson@freebsd.org
Subject: remote root security hole in rexecd
X-Send-Pr-Version: 3.2

>Number:         2587
>Category:       bin
>Synopsis:       remote root security hole in rexecd
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 25 17:30:01 PST 1997
>Closed-Date:    Sat Feb 8 23:17:44 MET 1997
>Last-Modified:  Sat Feb  8 23:18:56 MET 1997
>Originator:     Julian Assange
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
>Environment:

	

>Description:

	

	rexecd's cmdbuf is ARG_MAX == 65535 bytes. If more than this is sent
	as the command, error() is called, which sprintf()s this onto the
	stack over the top of a BUFSIZ buf (1024 bytes)
	without any bounds checking. this is remotely exploitable

>How-To-Repeat:

	

>Fix:
	
	

--- src/libexec/rexecd/rexecd.c~	Sun Jan 26 12:12:09 1997
+++ src/libexec/rexecd/rexecd.c	Sun Jan 26 12:12:09 1997
@@ -289,7 +289,7 @@
 	char buf[BUFSIZ];
 
 	buf[0] = 1;
-	(void) sprintf(buf+1, fmt, a1, a2, a3);
+	(void) snprintf(buf+1, sizeof(buf)-1, fmt, a1, a2, a3);
 	(void) write(2, buf, strlen(buf));
 }
 
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: mpp 
Responsible-Changed-When: Sat Jan 25 23:15:43 PST 1997 
Responsible-Changed-Why:  
Misfiled PR. 
Responsible-Changed-From-To: freebsd-bugs->freebsd-bugs 
Responsible-Changed-By: fenner 
Responsible-Changed-When: Mon Jan 27 10:31:52 PST 1997 
Responsible-Changed-Why:  
It didn't. 

From: proff@iq.org
To: freebsd-gnats-submit@freebsd.org, proff@iq.org
Cc:  Subject: subject=Re: bin/2587: remote root security hole in rexecd
Date: Fri, 7 Feb 1997 00:55:26 +1100 (EST)

 The bug described does not exist (I xlated fmt and err arguments).
 I sent a follow up on this in another PR (nfs + rexecd) on one
 that does.
State-Changed-From-To: open->closed 
State-Changed-By: joerg 
State-Changed-When: Sat Feb 8 23:17:44 MET 1997 
State-Changed-Why:  
Closed at originator's request, see the audit-trail. 

>Unformatted:
