From mi@video-collage.com  Thu Mar 23 12:45:53 2000
Return-Path: <mi@video-collage.com>
Received: from xxx.video-collage.com (xxx.video-collage.com [209.122.149.226])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0DDF037B8E9; Thu, 23 Mar 2000 12:45:44 -0800 (PST)
	(envelope-from mi@video-collage.com)
Received: from dufus.video-collage.com (dufus [10.222.222.77])
	by xxx.video-collage.com (8.9.1a/8.9.1) with ESMTP id PAA09886;
	Thu, 23 Mar 2000 15:45:40 -0500 (EST)
Received: (from root@localhost)
	by dufus.video-collage.com (8.9.3/8.9.3) id PAA83658;
	Thu, 23 Mar 2000 15:45:39 -0500 (EST)
	(envelope-from mi@xxx)
Message-Id: <200003232045.PAA83658@dufus.video-collage.com>
Date: Thu, 23 Mar 2000 15:45:39 -0500 (EST)
From: Mikhail Teterin <mi@video-collage.com>
Reply-To: mi@video-collage.com
To: FreeBSD-gnats-submit@FreeBSD.org
Cc: ume@FreeBSD.org, bill@gkrellm.net
Subject: gkrellm defaults to the wrong mbox location, uses sprintf unsafely
X-Send-Pr-Version: 3.2

>Number:         17573
>Category:       ports
>Synopsis:       gkrellm defaults to the wrong mbox location, uses sprintf unsafely
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 23 12:50:02 PST 2000
>Closed-Date:    Fri Mar 24 02:35:57 PST 2000
>Last-Modified:  Fri Mar 24 02:38:14 PST 2000
>Originator:     Mikhail Teterin
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
Virtual Estates, Inc.
>Environment:

>Description:

	The wrong (for BSD) path /var/spool/mail/%s is hardcoded in mail.c
	instead of /var/mail/%s ... Easy enough :)

	The length of the buffer (128) seems a bit "off-the-wall". Normally,
	a user-name is below 8 or 16 characters...

	This patch also addresses the security hole, exploitable by setting
	USER environment variable to something very-very long, but there are
	plenty of other spots where sprintf is used instead of snprintf to
	construct strings in buffers. A program, that wants to be installed
	suid should, probably, use snprintf exclusively (or, even better --
	strncat -- if it just the concatenation that's needed).

>How-To-Repeat:

>Fix:
	Put the following into the port's patches/patch-mail :

--- mail.c	Fri Mar 10 16:04:25 2000
+++ mail.c	Thu Mar 23 15:24:21 2000
@@ -885,3 +885,3 @@
 				{
-				sprintf(buf, "/var/spool/mail/%s", s);
+				snprintf(buf, 127, "/var/mail/%s", s);
 				s = buf;

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ume 
State-Changed-When: Fri Mar 24 02:35:57 PST 2000 
State-Changed-Why:  
Committed.  Thanks! 
>Unformatted:
