Received: with LISTAR (v1.0.0; list gopher); Wed, 17 Jan 2001 01:10:15 -0600 (CST) Return-Path: Delivered-To: gopher@complete.org Received: from vitelus.com (vitelus.com [64.81.36.147]) by pi.glockenspiel.complete.org (Postfix) with ESMTP id C55D93B802 for ; Wed, 17 Jan 2001 01:10:11 -0600 (CST) Received: from aaronl by vitelus.com with local (Exim 3.20 #1 (Debian)) id 14ImjM-00054D-00 for ; Tue, 16 Jan 2001 23:10:04 -0800 Date: Tue, 16 Jan 2001 23:10:04 -0800 From: Aaron Lehmann To: gopher@complete.org Subject: [gopher] Fwd: Bug#82602: gopherd: [SECURITY] gopherd is dangerous Message-ID: <20010116231004.A19307@vitelus.com> Mime-Version: 1.0 Content-type: text/plain Content-Disposition: inline User-Agent: Mutt/1.3.12i Content-Transfer-Encoding: 8bit X-archive-position: 109 X-listar-version: Listar v1.0.0 Sender: gopher-bounce@complete.org Errors-to: gopher-bounce@complete.org X-original-sender: aaronl@vitelus.com Precedence: bulk Reply-to: gopher@complete.org X-list: gopher ----- Forwarded message from aaronl@vitelus.com ----- From: aaronl@vitelus.com Date: Tue, 16 Jan 2001 22:57:23 -0800 To: submit@bugs.debian.org Subject: Bug#82602: gopherd: [SECURITY] gopherd is dangerous X-Mailer: bug 3.3.7 Package: gopherd Version: 2.3.1-8 Severity: grave First off: $ egrep -r '(sprintf|strcpy|strcat)' * | wc -l 539 *shudder* Here are a few particular cases of fixed-size buffers that I think may currently be security risks: char buf[256]; ... if (dochroot) sprintf(buf, "%s '%s'", decoder, pathname); else sprintf(buf, "%s '%s/%s'", decoder, Data_Dir, pathname); As far as I can tell, neither decoder nor pathname is regulated in size at all. Here's another favorite: char longname[256]; ... sprintf( longname, "%s [%s%s%s, %ukb]", stitle, cdate+8,cdate+4,cdate+22, (statbuf.st_size+1023) / 1024); Even if the length of stitle was regulated (which I doubt), it would most likely be regulated to 256 bytes, which would be just as disasterous. Oh, and you had better hope that the path to your Data_Dir is < 256 chars: char tmpstr[256]; ... strcpy(tmpstr, Data_Dir); Data_Dir is _not_ regulated in size: Data_Dir = strdup(argv[optind]); ... Data_Dir = strdup(DATA_DIRECTORY); How about this: if ((titlep = strcasestr(buf, "")) != NULL) { char *endtitle; char titletemp[256]; titlep += 7; if ((endtitle = strcasestr(titlep, "")) != NULL) { strncpy(titletemp, titlep, (endtitle-titlep)); titletemp[endtitle-titlep] = '\0'; So, list a directory containing a .html document with a title > 256 chars and you're likely to smash the stack. I could go on and on. My reccomendation to the gopherd maintainer is to throw out all of this code and write a more modern, secure implentation from scratch. This is the worst C code I have ever read. -- To UNSUBSCRIBE, email to debian-bugs-dist-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org ----- End forwarded message ----- -- Attached file included as plaintext by Listar -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6ZUVMdtqQf66JWJkRAkfcAKC+DYo7IlV/uMhb9TiNFMehmoqDhQCfWdSG D5NRK+qja4sbChxnEeh4m10= =+VYC -----END PGP SIGNATURE-----