From tenser@spitfire.ecsel.psu.edu  Mon Feb  3 20:28:57 1997
Received: from spitfire.ecsel.psu.edu (qmailr@spitfire.ecsel.psu.edu [146.186.218.51])
          by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id UAA16887
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 3 Feb 1997 20:28:14 -0800 (PST)
Received: (qmail 1234 invoked by uid 1000); 4 Feb 1997 04:28:10 -0000
Message-Id: <19970204042810.1233.qmail@spitfire.ecsel.psu.edu>
Date: 4 Feb 1997 04:28:10 -0000
From: tenser@spitfire.ecsel.psu.edu
Reply-To: tenser@spitfire.ecsel.psu.edu
To: FreeBSD-gnats-submit@freebsd.org
Subject: Patches for locale buffer overruns for 2.1 and 2.2.
X-Send-Pr-Version: 3.2

>Number:         2654
>Category:       misc
>Synopsis:       Patches for locale buffer overruns (2.1.x, 2.2)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb  3 20:30:02 PST 1997
>Closed-Date:    Tue Feb 4 23:15:55 MET 1997
>Last-Modified:  Tue Feb  4 14:30:01 PST 1997
>Originator:     Dan Cross
>Release:        FreeBSD 2.2-CURRENT i386
>Organization:
The Pennsylvania State University, Department of Mathematics
>Environment:
FreeBSD 2.1.6-RELEASE and a kind of dated 2.2-CURRENT.

	My current version of FreeBSD on this machine is rather dated;
	stemming from last September.  I apologize, but I am going to
	guess that my patches might install cleanly.

>Description:

	These are the patches that I posted to security@ regarding
	the locale buffer overruns in the CSU code under 2.1, and
	in the locale library functions in 2.2.  I remember the
	last time I submitted patches, someone told me to use send-pr,
	so...  :-)

>How-To-Repeat:

	See the recent posts to Bugtraq and security@

>Fix:
	
	The following are two sets of patches, one for 2.1, the other
	for 2.2, repsectively.  Although there is great overlap in what
	was changed, the two versions were disparate enough that I felt
	two sets of patches would be benficial.  Thanks!

	(Please note; these patches compile on my systems, but I have
	not tested them thoroughly, and I'm not certain that they take
	care of every possible security bug in the locale code, but I
	think they might be of some use as a base for an official patch.
	Caveat emptor.)

	- Dan C.

----- Begin locale-2.1.diff
*** collate.c	1997/02/04 02:49:05	1.1
--- collate.c	1997/02/04 02:54:58
***************
*** 66,75 ****
  		return -1;
  	if (!path_locale && !(path_locale = getenv("PATH_LOCALE")))
  		path_locale = _PATH_LOCALE;
! 	strcpy(buf, path_locale);
! 	strcat(buf, "/");
! 	strcat(buf, encoding);
! 	strcat(buf, "/LC_COLLATE");
  	if ((fp = fopen(buf, "r")) == NULL)
  		return -1;
  	FREAD(__collate_charmap_table, sizeof(__collate_charmap_table), 1, fp);
--- 66,73 ----
  		return -1;
  	if (!path_locale && !(path_locale = getenv("PATH_LOCALE")))
  		path_locale = _PATH_LOCALE;
! 	(void)snprintf(buf,
! 		PATH_MAX, "%s/%s/LC_COLLATE", path_locale, encoding);
  	if ((fp = fopen(buf, "r")) == NULL)
  		return -1;
  	FREAD(__collate_charmap_table, sizeof(__collate_charmap_table), 1, fp);
*** rune.c	1997/02/04 03:18:28	1.1
--- rune.c	1997/02/04 03:19:21
***************
*** 74,83 ****
  	if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE")))
  		PathLocale = _PATH_LOCALE;
  
! 	(void) strcpy(name, PathLocale);
! 	(void) strcat(name, "/");
! 	(void) strcat(name, encoding);
! 	(void) strcat(name, "/LC_CTYPE");
  
  	if ((fp = fopen(name, "r")) == NULL)
  		return(ENOENT);
--- 74,81 ----
  	if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE")))
  		PathLocale = _PATH_LOCALE;
  
! 	(void)snprintf(name,
! 		PATH_MAX, "%s/%s/LC_CTYPE", PathLocale, encoding);
  
  	if ((fp = fopen(name, "r")) == NULL)
  		return(ENOENT);
*** setlocale.c	1997/02/04 03:22:26	1.1
--- setlocale.c	1997/02/04 03:22:54
***************
*** 198,201 ****
--- 198,203 ----
  		case LC_NUMERIC:
  			return (NULL);
  	}
+ 
+ 	return(NULL);	/*  2.2 has this with the comment, ``Just in Case''  */
  }
*** startup_setlocale.c	1997/02/03 07:40:46	1.1
--- startup_setlocale.c	1997/02/03 07:41:47
***************
*** 174,183 ****
  		return(0);
  	}
  
! 	(void) strcpy(name, PathLocale);
! 	(void) strcat(name, "/");
! 	(void) strcat(name, encoding);
! 	(void) strcat(name, "/LC_CTYPE");
  
  	if ((fp = fopen(name, "r")) == NULL)
  		return(ENOENT);
--- 174,181 ----
  		return(0);
  	}
  
! 	(void) snprintf(name,
! 		PATH_MAX, "%s/%s/LC_CTYPE", PathLocale, encoding);
  
  	if ((fp = fopen(name, "r")) == NULL)
  		return(ENOENT);
----- End locale-2.1.diff

And here is the stuff for 2.2:


----- Begin locale-2.2.diff
*** collate.c	1997/02/03 23:45:56	1.1
--- collate.c	1997/02/03 23:49:55
***************
*** 71,80 ****
  		return 0;
  	if (!_PathLocale && !(_PathLocale = getenv("PATH_LOCALE")))
  		_PathLocale = _PATH_LOCALE;
! 	strcpy(buf, _PathLocale);
! 	strcat(buf, "/");
! 	strcat(buf, encoding);
! 	strcat(buf, "/LC_COLLATE");
  	if ((fp = fopen(buf, "r")) == NULL) {
  		__collate_load_error = save_load_error;
  		return -1;
--- 71,78 ----
  		return 0;
  	if (!_PathLocale && !(_PathLocale = getenv("PATH_LOCALE")))
  		_PathLocale = _PATH_LOCALE;
! 	(void)snprintf(buf,
! 		PATH_MAX, "%s/%s/LC_COLLATE", _PathLocale, encoding);
  	if ((fp = fopen(buf, "r")) == NULL) {
  		__collate_load_error = save_load_error;
  		return -1;
*** setrunelocale.c	1997/02/03 23:47:15	1.1
--- setrunelocale.c	1997/02/03 23:48:19
***************
*** 86,95 ****
  	if (!_PathLocale && !(_PathLocale = getenv("PATH_LOCALE")))
  		_PathLocale = _PATH_LOCALE;
  
! 	(void) strcpy(name, _PathLocale);
! 	(void) strcat(name, "/");
! 	(void) strcat(name, encoding);
! 	(void) strcat(name, "/LC_CTYPE");
  
  	if ((fp = fopen(name, "r")) == NULL)
  		return(ENOENT);
--- 86,93 ----
  	if (!_PathLocale && !(_PathLocale = getenv("PATH_LOCALE")))
  		_PathLocale = _PATH_LOCALE;
  
! 	(void)snprintf(name,
! 		PATH_MAX, "%s/%s/LC_CTYPE", _PathLocale, encoding);
  
  	if ((fp = fopen(name, "r")) == NULL)
  		return(ENOENT);
----- End locale-2.2.diff
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: joerg 
State-Changed-When: Tue Feb 4 23:15:55 MET 1997 
State-Changed-Why:  
Already fixed in -current by Andrey in a less blatant way. 
Probably needs to be fixed in 2.1.x, but i'll leave it to 
Joe to merge the fix from -current. 


From: j@uriah.heep.sax.de (J Wunsch)
To: tenser@spitfire.ecsel.psu.edu
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: misc/2654: Patches for locale buffer overruns for 2.1 and 2.2.
Date: Tue, 4 Feb 1997 21:16:47 +0100

 As tenser@spitfire.ecsel.psu.edu wrote:
 
 > ! 	strcpy(buf, path_locale);
 > ! 	strcat(buf, "/");
 > ! 	strcat(buf, encoding);
 > ! 	strcat(buf, "/LC_COLLATE");
 >   	if ((fp = fopen(buf, "r")) == NULL)
 >   		return -1;
 >   	FREAD(__collate_charmap_table, sizeof(__collate_charmap_table), 1, fp);
 > --- 66,73 ----
 >   		return -1;
 >   	if (!path_locale && !(path_locale = getenv("PATH_LOCALE")))
 >   		path_locale = _PATH_LOCALE;
 > ! 	(void)snprintf(buf,
 > ! 		PATH_MAX, "%s/%s/LC_COLLATE", path_locale, encoding);
 
 Incidentally, i also tried to apply your fix quite some time ago --
 and i stood corrected, the problem has already been fixed without
 using snprintf().
 
 -- 
 cheers, J"org
 
 joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
 Never trust an operating system you don't have sources for. ;-)
>Unformatted:
