diff options
| author |   Ned Ludd <solar@gentoo.org> | 2003-08-11 06:38:59 +0000 |
|---|---|---|
| committer | Ned Ludd <solar@gentoo.org> | 2003-08-11 06:38:59 +0000 |
| commit | 9eef6c1fa95264da5deb227ac333e597e84cc984 (patch) | |
| tree | 0aa149ed0bd102e161178b8d889acfb0c3b5f534 /net-misc/whois/files | |
| parent | Ok so looking at the whois code, there seems to be quite a few ways to overfl... (diff) | |
| download | gentoo-2-9eef6c1fa95264da5deb227ac333e597e84cc984.tar.gz gentoo-2-9eef6c1fa95264da5deb227ac333e597e84cc984.tar.bz2 gentoo-2-9eef6c1fa95264da5deb227ac333e597e84cc984.zip | |
Ok so looking at the whois code, there seems to be quite a few ways to overflow it. I've written a little patch which should address this. I'm also removing all the older exploitable versions of whois from the portage tree, and adding my patch. Closes bug 24860
Diffstat (limited to 'net-misc/whois/files')
| -rw-r--r-- | net-misc/whois/files/digest-whois-4.5.28-r1 | 1 | ||||
| -rw-r--r-- | net-misc/whois/files/digest-whois-4.6.2 | 1 | ||||
| -rw-r--r-- | net-misc/whois/files/digest-whois-4.6.5 | 1 | ||||
| -rw-r--r-- | net-misc/whois/files/digest-whois-4.6.6-r1 (renamed from net-misc/whois/files/digest-whois-4.6.6) | 0 | ||||
| -rw-r--r-- | net-misc/whois/files/whois-4.6.6-gentoo-security.patch | 86 |
5 files changed, 86 insertions, 3 deletions
diff --git a/net-misc/whois/files/digest-whois-4.5.28-r1 b/net-misc/whois/files/digest-whois-4.5.28-r1 deleted file mode 100644 index e7b9c3925371..000000000000 --- a/net-misc/whois/files/digest-whois-4.5.28-r1 +++ /dev/null @@ -1 +0,0 @@ -MD5 e489d0dd8d894dd23b1b5f33425742bf whois_4.5.28.tar.gz 34194 diff --git a/net-misc/whois/files/digest-whois-4.6.2 b/net-misc/whois/files/digest-whois-4.6.2 deleted file mode 100644 index e34627b054a4..000000000000 --- a/net-misc/whois/files/digest-whois-4.6.2 +++ /dev/null @@ -1 +0,0 @@ -MD5 9040d3ec3eb295f5073ea43b39ccfe60 whois_4.6.2.tar.gz 34754 diff --git a/net-misc/whois/files/digest-whois-4.6.5 b/net-misc/whois/files/digest-whois-4.6.5 deleted file mode 100644 index 9c832f1996ea..000000000000 --- a/net-misc/whois/files/digest-whois-4.6.5 +++ /dev/null @@ -1 +0,0 @@ -MD5 2341ab2c39113d112d13ae34da85b7f6 whois_4.6.5.tar.gz 44532 diff --git a/net-misc/whois/files/digest-whois-4.6.6 b/net-misc/whois/files/digest-whois-4.6.6-r1 index 36ed1f444de6..36ed1f444de6 100644 --- a/net-misc/whois/files/digest-whois-4.6.6 +++ b/net-misc/whois/files/digest-whois-4.6.6-r1 diff --git a/net-misc/whois/files/whois-4.6.6-gentoo-security.patch b/net-misc/whois/files/whois-4.6.6-gentoo-security.patch new file mode 100644 index 000000000000..fa1641fa3192 --- /dev/null +++ b/net-misc/whois/files/whois-4.6.6-gentoo-security.patch @@ -0,0 +1,86 @@ +diff -Nru whois-4.6.6.orig/whois.c whois-4.6.6/whois.c +--- whois-4.6.6.orig/whois.c 2003-06-15 12:36:52.000000000 -0400 ++++ whois-4.6.6/whois.c 2003-08-11 02:15:30.000000000 -0400 +@@ -73,12 +73,12 @@ + /* RIPE flags */ + if (strchr(ripeflags, ch)) { + for (p = fstring; *p; p++); +- sprintf(p--, "-%c ", ch); ++ snprintf(p--, sizeof(fstring), "-%c ", ch); + continue; + } + if (strchr(ripeflagsp, ch)) { + for (p = fstring; *p; p++); +- sprintf(p--, "-%c %s ", ch, optarg); ++ snprintf(p--, sizeof(fstring), "-%c %s ", ch, optarg); + if (ch == 't' || ch == 'v' || ch == 'q') + nopar = 1; + continue; +@@ -132,10 +132,10 @@ + while (1) { + qslen += strlen(*argv) + 1 + 1; + qstring = realloc(qstring, qslen); +- strcat(qstring, *argv++); ++ strncat(qstring, *argv++, qslen-1); + if (argc == 1) + break; +- strcat(qstring, " "); ++ strncat(qstring, " ", qslen); + argc--; + } + } +@@ -401,10 +401,13 @@ + { + char *buf; + int i, isripe = 0; ++ int buflen = 0; + + /* +10 for CORE; +2 for \r\n; +1 for NULL */ +- buf = malloc(strlen(flags) + strlen(query) + strlen(client_tag) + 4 +- + 10 + 2 + 1); ++ buflen = (strlen(flags) + strlen(query) + strlen(client_tag) + 4 + 10 + 2 + 1); ++ ++ buf = malloc(buflen); ++ + *buf = '\0'; + for (i = 0; ripe_servers[i]; i++) + if (strcmp(server, ripe_servers[i]) == 0) { +@@ -426,23 +429,23 @@ + if (*flags) { + if (!isripe && strcmp(server, "whois.corenic.net") != 0) + puts(_("Warning: RIPE flags used with a traditional server.")); +- strcat(buf, flags); ++ strncat(buf, flags, buflen); + } + /* FIXME: /e is not applied to .JP ASN */ + if (!isripe && (strcmp(server, "whois.nic.mil") == 0 || + strcmp(server, "whois.nic.ad.jp") == 0) && + strncasecmp(query, "AS", 2) == 0 && isasciidigit(query[2])) +- sprintf(buf, "AS %s", query + 2); /* fix query for DDN */ ++ snprintf(buf, buflen, "AS %s", query + 2); /* fix query for DDN */ + else if (!isripe && strcmp(server, "whois.corenic.net") == 0) +- sprintf(buf, "--machine %s", query); /* machine readable output */ ++ snprintf(buf, buflen, "--machine %s", query); /* machine readable output */ + else if (!isripe && strcmp(server, "whois.nic.ad.jp") == 0) { + char *lang = getenv("LANG"); /* not a perfect check, but... */ + if (!lang || (strncmp(lang, "ja", 2) != 0)) +- sprintf(buf, "%s/e", query); /* ask for english text */ ++ snprintf(buf, buflen, "%s/e", query); /* ask for english text */ + else +- strcat(buf, query); ++ strncat(buf, query, buflen); + } else +- strcat(buf, query); ++ strncat(buf, query, buflen); + return buf; + } + +@@ -485,7 +488,7 @@ + + if (verb) + printf(_("Detected referral to %s on %s.\n"), nq, nh); +- strcat(nq, "\r\n"); ++ strncat(nq, "\r\n", sizeof(nq)); + fd = openconn(nh, np); + do_query(fd, nq); + continue; |