NetBSD Problem Report #50823
From www@NetBSD.org Wed Feb 17 12:07:02 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id A53F07ABC6
for <gnats-bugs@gnats.NetBSD.org>; Wed, 17 Feb 2016 12:07:02 +0000 (UTC)
Message-Id: <20160217120701.929047ACCB@mollari.NetBSD.org>
Date: Wed, 17 Feb 2016 12:07:01 +0000 (UTC)
From: dcb314@hotmail.com
Reply-To: dcb314@hotmail.com
To: gnats-bugs@NetBSD.org
Subject: src/lib/libwrap/hosts_access.c:317: huge input data problem ?
X-Send-Pr-Version: www-1.0
>Number: 50823
>Category: lib
>Synopsis: src/lib/libwrap/hosts_access.c:317: huge input data problem ?
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: lib-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Feb 17 12:10:00 +0000 2016
>Closed-Date: Wed Feb 17 19:58:03 +0000 2016
>Last-Modified: Mon Feb 22 18:40:00 +0000 2016
>Originator: David Binderman
>Release: cvs dated 20160216
>Organization:
>Environment:
>Description:
[src/lib/libwrap/hosts_access.c:317]: (warning) scanf without field width limits can crash with huge input data.
Source code is
while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host)))
/* void */ ;
but
char tok[BUFSIZ];
so the code assumes all lines in the file are shorter than BUFSIZ
and will smash the stack if they aren't. This might be a security issue.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/50823 CVS commit: src/lib/libwrap
Date: Wed, 17 Feb 2016 14:52:20 -0500
Module Name: src
Committed By: christos
Date: Wed Feb 17 19:52:20 UTC 2016
Modified Files:
src/lib/libwrap: hosts_access.c
Log Message:
PR/50823: David Binderman: Limit scanf width
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 src/lib/libwrap/hosts_access.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: wiz@NetBSD.org
State-Changed-When: Wed, 17 Feb 2016 19:58:03 +0000
State-Changed-Why:
Fixed by christos, thanks.
From: "Jeremy C. Reed" <reed@reedmedia.net>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: lib/50823: src/lib/libwrap/hosts_access.c:317: huge input data
problem ?
Date: Mon, 22 Feb 2016 12:39:28 -0600 (CST)
On Wed, 17 Feb 2016, dcb314@hotmail.com wrote:
> This might be a security issue.
Thanks again for reporting this. For the record, I received this from
one of the security officers: "This is not a security issue (unless
users other than root have write access to the /etc/hosts.{allow,deny}
files and the files that are referred from them, which is a security
issue itself), since the files parsed are under root control."
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.