From jau@jau.thunderbolt.fi  Tue Jan 28 01:51:49 1997
Received: from jau.thunderbolt.fi (root@jukkonen.dial.tele.fi [194.89.253.78])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id BAA03290
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 28 Jan 1997 01:51:39 -0800 (PST)
Received: (from jau@localhost) by jau.thunderbolt.fi (8.7.5/8.6.12+CSC-2.1) id KAA13618; Tue, 28 Jan 1997 10:46:00 +0200 (EET)
Message-Id: <199701280846.KAA13618@jau.thunderbolt.fi>
Date: Tue, 28 Jan 1997 10:46:00 +0200 (EET)
From: Jukka Ukkonen <jau@jau.thunderbolt.fi>
Reply-To: jau@iki.fi
To: FreeBSD-gnats-submit@freebsd.org
Subject: Buffer overflow in Paul Vixie's cron
X-Send-Pr-Version: 3.2

>Number:         2605
>Category:       bin
>Synopsis:       Buffer overflow in Paul Vixie's cron
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    imp
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 28 02:00:06 PST 1997
>Closed-Date:    Fri Mar 21 16:47:24 MST 1997
>Last-Modified:  Fri Mar 21 16:48:41 MST 1997
>Originator:     Jukka Ukkonen
>Release:        FreeBSD 2.1-STABLE i386
>Organization:
Private person
>Environment:

	This is a system software problem which is independent of the
	hardware environment in which the program is running.

>Description:

	There was a possibility to cause an overflow of a string buffer
	in Vixie's cron implementation by defining very long names for
	environment variables. This erroneous behaviour could create
	a security problem unless fixed ASAP.

	The bug was found after a similar bug was reported in Linux,
	which uses a different version of Vixie's cron.

>How-To-Repeat:

	Make a crontab entry using an environment variable definition
	of the form

	A_VERY_LONG_ENVIRONMENT_ ... _VARIABLE_NAME=some_value

>Fix:
	
	See the attached patch...


--- cron/lib/env.c.orig	Sat Aug 27 16:43:02 1994
+++ cron/lib/env.c	Tue Dec 24 11:45:40 1996
@@ -117,6 +117,8 @@
 	int	fileline;
 	char	name[MAX_TEMPSTR], val[MAX_ENVSTR];
 	int	fields;
+	size_t	envlen;
+	char	*ptr;
 
 	filepos = ftell(f);
 	fileline = LineNumber;
@@ -125,6 +127,20 @@
 		return (ERR);
 
 	Debug(DPARS, ("load_env, read <%s>\n", envstr))
+
+	ptr = strpbrk (envstr, "=\n");
+
+	if (! ptr)
+	    envlen = strlen (envstr);
+	else
+	    envlen = ptr - envstr;
+
+	if (envlen >= MAX_TEMPSTR) {
+	    Debug(DPARS, ("load_env, var name too long\n"))
+	    fseek(f, filepos, 0);
+	    Set_LineNum(fileline);
+	    return (FALSE);
+	}
 
 	name[0] = val[0] = '\0';
 	fields = sscanf(envstr, "%[^ =] = %[^\n#]", name, val);
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->imp 
Responsible-Changed-By: imp 
Responsible-Changed-When: Sat Feb 8 23:45:28 MST 1997 
Responsible-Changed-Why:  
I'll verify that this has been corrected and fix if not. 
State-Changed-From-To: open->closed 
State-Changed-By: imp 
State-Changed-When: Fri Mar 21 16:47:24 MST 1997 
State-Changed-Why:  
This has already been fixed in FreeBSD -current by a different method. 
Fixes seem to have been back ported to -stable and 2.2 as well. 
>Unformatted:
