Received: with ECARTIS (v1.0.0; list gopher); Fri, 29 Aug 2003 15:22:35 -0500 (CDT) Return-Path: <jgoerzen@complete.org> X-Original-To: gopher@complete.org Delivered-To: gopher@complete.org Received: from localhost (localhost [127.0.0.1]) by gesundheit.complete.org (Postfix) with ESMTP id 3469218320CA; Fri, 29 Aug 2003 15:22:35 -0500 (CDT) Received: from heinrich.complete.org (gatekeeper.excelhustler.com [68.99.114.105]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "christoph.complete.org", Issuer "John Goerzen -- Root CA" (verified OK)) by gesundheit.complete.org (Postfix) with ESMTP id BF65F183209C; Fri, 29 Aug 2003 15:22:34 -0500 (CDT) Received: by heinrich.complete.org (Postfix, from userid 1000) id C12323B8; Fri, 29 Aug 2003 15:22:41 -0500 (CDT) To: gopher@complete.org, 204487@bugs.debian.org Subject: [gopher] [comp.infosystems.gopher] Re: UMN gopherd exploits From: John Goerzen <jgoerzen@complete.org> Date: Fri, 29 Aug 2003 15:22:41 -0500 Message-ID: <87bru8kycu.fsf@complete.org> User-Agent: Gnus/5.1002 (Gnus v5.10.2) XEmacs/21.4 (Rational FORTRAN, linux) MIME-Version: 1.0 Content-type: text/plain X-Scanned-By: clamscan at complete.org Content-Transfer-Encoding: 8bit X-archive-position: 822 X-ecartis-version: Ecartis v1.0.0 Sender: gopher-bounce@complete.org Errors-to: gopher-bounce@complete.org X-original-sender: jgoerzen@complete.org Precedence: bulk Reply-to: gopher@complete.org List-help: <mailto:ecartis@complete.org?Subject=help> List-unsubscribe: <mailto:gopher-request@complete.org?Subject=unsubscribe> List-software: Ecartis version 1.0.0 List-Id: Gopher <gopher.complete.org> X-List-ID: Gopher <gopher.complete.org> List-subscribe: <mailto:gopher-request@complete.org?Subject=subscribe> List-owner: <mailto:jgoerzen@complete.org> List-post: <mailto:gopher@complete.org> List-archive: <http://www.complete.org/mailinglists/archives/> X-list: gopher

FYI, if you are running UMN gopherd and have not upgraded, you may find this useful:

-- Attached file included as plaintext by Ecartis --

Path: heinrich.complete.org!newsx!uni-berlin.de!fu-berlin.de!feed.news.nacamar.de!news100.image.dk!news010.worldonline.dk.POSTED!not-for-mail From: "Jacob Dahl Pind" <rachael_@gmx.net> Subject: Re: UMN gopherd exploits References: <561.365T1050T2052494rachael_@gmx.net> <87oey9ok10.fsf@complete.org> Message-ID: <2001.371T1100T953184rachael_@gmx.net> Newsgroups: comp.infosystems.gopher Lines: 70 X-Newsreader: THOR 2.6a (Amiga;TCP/IP) Date: 29 Aug 2003 1:35:22 +0100 NNTP-Posting-Host: 213.237.16.246 X-Complaints-To: news-abuse@wol.dk X-Trace: news010.worldonline.dk 1062113871 213.237.16.246 (Fri, 29 Aug 2003 01:37:51 MET DST) NNTP-Posting-Date: Fri, 29 Aug 2003 01:37:51 MET DST Organization: Customer of Tiscali A/S Xref: heinrich.complete.org comp.infosystems.gopher:32 MIME-Version: 1.0

on 28-Aug-03 16:54:03, John Goerzen wrote: >"Jacob Dahl Pind" <rachael_@gmx.net> writes:

>> Hello >> >> As it seems support for UMN gopherd has been stopped, and the two >> lates security holes wont be fixed, I have tried to patch them. >> >> The small patch can be found at gopher://rachael.dyndns.org/11/gopher/

>I could not resolve that hostname. Can you post a new URL?

have included it instead.

if fixed the GSisText()/view buffer overflow , remote "ftp gateway" buffer overflow, and do_command bufferoverflow. It also changes some tempnam to mkstemp, but those are gnu glibc specefic.

-- UMN_gopherd_patch.txt

diff -adr misc/gopher-3.0.5/gopher-3.0.5/gopherd/ftp.c software/gopher-3.0.5/gopher-3.0.5/gopherd/ftp.c 1810,1811c1810,1811 < < strcpy(tmpName, buf); --- > if (strlen(buf) > 256) last=256; > strncpy(tmpName, buf,last); diff -adr misc/gopher-3.0.5/gopher-3.0.5/gopherd/gopherd.c software/gopher-3.0.5/gopher-3.0.5/gopherd/gopherd.c 1279,1280c1279,1280 < ASKfile = tempnam(NULL, "gdata"); < Debug("HTTP POST data is in %s\n", ASKfile); --- > ASKfile = mkstemp("gdata"); > Debug("HTTP POST data is in %s\n", ASKfile); 1482c1482 < --- > int authlen; 1488c1488,1491 < strcpy(cleartext, authuser); --- > authlen = strlen(authuser); > /* its 64 because cleartext has just been declared 64 above */ > if (authlen > 64 ) authlen = 64; > strncpy(cleartext, authuser,authlen); 1590c1593 < ASKfile = tempnam(NULL, "gdata"); --- > ASKfile = mkstemp("gdata"); diff -adr misc/gopher-3.0.5/gopher-3.0.5/object/GSgopherobj.c software/gopher-3.0.5/gopher-3.0.5/object/GSgopherobj.c 2090c2090,2091 < { --- > { int pos; > 2107c2108,2112 < --- > if (strlen(view) > 64) { > pos = 64; > } else { > pos = strlen(view); > }

regards Jacob Dahl Pind

-- CBM, Amiga,Vintage hardware collector Email: rachael@rachael.dyndns.org url: http://rachael.dyndns.org