To: gopher@complete.org, 204487@bugs.debian.org
Subject: [gopher] [comp.infosystems.gopher] Re: UMN gopherd exploits
From: John Goerzen <jgoerzen@complete.org>
Date: Fri, 29 Aug 2003 15:22:41 -0500
Message-ID: <87bru8kycu.fsf@complete.org>
User-Agent: Gnus/5.1002 (Gnus v5.10.2) XEmacs/21.4 (Rational FORTRAN, linux)
MIME-Version: 1.0
Content-type: text/plain
Content-Transfer-Encoding: 8bit
Sender: gopher-bounce@complete.org
Errors-to: gopher-bounce@complete.org
Precedence: bulk
Reply-to: gopher@complete.org

FYI, if you are running UMN gopherd and have not upgraded, you may
find this useful:


-- Attached file included as plaintext by Ecartis --

Path: heinrich.complete.org!newsx!uni-berlin.de!fu-berlin.de!feed.news.nacamar.de!news100.image.dk!news010.worldonline.dk.POSTED!not-for-mail
From: "Jacob Dahl Pind" <rachael_@gmx.net>
Subject: Re: UMN gopherd exploits
References: <561.365T1050T2052494rachael_@gmx.net> <87oey9ok10.fsf@complete.org>
Message-ID: <2001.371T1100T953184rachael_@gmx.net>
Newsgroups: comp.infosystems.gopher
Lines: 70
X-Newsreader: THOR 2.6a (Amiga;TCP/IP)
Date: 29 Aug 2003 1:35:22 +0100
NNTP-Posting-Host: 213.237.16.246
X-Complaints-To: news-abuse@wol.dk
X-Trace: news010.worldonline.dk 1062113871 213.237.16.246 (Fri, 29 Aug 2003
 01:37:51 MET DST)
NNTP-Posting-Date: Fri, 29 Aug 2003 01:37:51 MET DST
Organization: Customer of Tiscali A/S
Xref: heinrich.complete.org comp.infosystems.gopher:32
MIME-Version: 1.0

on 28-Aug-03 16:54:03, John Goerzen wrote:
>"Jacob Dahl Pind" <rachael_@gmx.net> writes:

>> Hello 
>>
>> As it seems support for UMN gopherd has been stopped, and the two
>> lates security holes wont be fixed, I have tried to patch them.
>>
>> The small patch can be found at gopher://rachael.dyndns.org/11/gopher/

>I could not resolve that hostname.  Can you post a new URL?

have included it instead. 

if fixed the GSisText()/view buffer overflow , remote "ftp gateway" buffer overflow,
and do_command bufferoverflow.
It also changes some tempnam to mkstemp, but those are gnu glibc specefic.

-- UMN_gopherd_patch.txt

diff -adr misc/gopher-3.0.5/gopher-3.0.5/gopherd/ftp.c software/gopher-3.0.5/gopher-3.0.5/gopherd/ftp.c
1810,1811c1810,1811
<      
<      strcpy(tmpName, buf);
---
>      if (strlen(buf) > 256) last=256;
>      strncpy(tmpName, buf,last);
diff -adr misc/gopher-3.0.5/gopher-3.0.5/gopherd/gopherd.c software/gopher-3.0.5/gopher-3.0.5/gopherd/gopherd.c
1279,1280c1279,1280
<           ASKfile = tempnam(NULL, "gdata");
<           Debug("HTTP POST data is in %s\n", ASKfile);
---
>           ASKfile = mkstemp("gdata");
> 	  Debug("HTTP POST data is in %s\n", ASKfile);
1482c1482
< 
---
> 		    int  authlen;
1488c1488,1491
< 		    strcpy(cleartext, authuser);
---
> 		    authlen = strlen(authuser);
> /* its 64 because cleartext has just been declared 64 above */		    
> 		    if (authlen > 64 ) authlen = 64;		      
> 		    strncpy(cleartext, authuser,authlen);
1590c1593
<           ASKfile = tempnam(NULL, "gdata");
---
> 	  ASKfile = mkstemp("gdata");
diff -adr misc/gopher-3.0.5/gopher-3.0.5/object/GSgopherobj.c software/gopher-3.0.5/gopher-3.0.5/object/GSgopherobj.c
2090c2090,2091
< {
---
> {	int pos;
> 
2107c2108,2112
< 
---
> 	  if (strlen(view) > 64) {
> 	    pos = 64;
> 	  } else {
> 	    pos = strlen(view);
> 	  }

regards Jacob Dahl Pind

--
		CBM, Amiga,Vintage hardware collector
		  Email: rachael@rachael.dyndns.org
		   url: http://rachael.dyndns.org