From 9eef6c1fa95264da5deb227ac333e597e84cc984 Mon Sep 17 00:00:00 2001 From: Ned Ludd Date: Mon, 11 Aug 2003 06:38:59 +0000 Subject: Ok so looking at the whois code, there seems to be quite a few ways to overflow it. I've written a little patch which should address this. I'm also removing all the older exploitable versions of whois from the portage tree, and adding my patch. Closes bug 24860 --- net-misc/whois/files/digest-whois-4.5.28-r1 | 1 - net-misc/whois/files/digest-whois-4.6.2 | 1 - net-misc/whois/files/digest-whois-4.6.5 | 1 - net-misc/whois/files/digest-whois-4.6.6 | 1 - net-misc/whois/files/digest-whois-4.6.6-r1 | 1 + .../whois/files/whois-4.6.6-gentoo-security.patch | 86 ++++++++++++++++++++++ 6 files changed, 87 insertions(+), 4 deletions(-) delete mode 100644 net-misc/whois/files/digest-whois-4.5.28-r1 delete mode 100644 net-misc/whois/files/digest-whois-4.6.2 delete mode 100644 net-misc/whois/files/digest-whois-4.6.5 delete mode 100644 net-misc/whois/files/digest-whois-4.6.6 create mode 100644 net-misc/whois/files/digest-whois-4.6.6-r1 create mode 100644 net-misc/whois/files/whois-4.6.6-gentoo-security.patch (limited to 'net-misc/whois/files') diff --git a/net-misc/whois/files/digest-whois-4.5.28-r1 b/net-misc/whois/files/digest-whois-4.5.28-r1 deleted file mode 100644 index e7b9c3925371..000000000000 --- a/net-misc/whois/files/digest-whois-4.5.28-r1 +++ /dev/null @@ -1 +0,0 @@ -MD5 e489d0dd8d894dd23b1b5f33425742bf whois_4.5.28.tar.gz 34194 diff --git a/net-misc/whois/files/digest-whois-4.6.2 b/net-misc/whois/files/digest-whois-4.6.2 deleted file mode 100644 index e34627b054a4..000000000000 --- a/net-misc/whois/files/digest-whois-4.6.2 +++ /dev/null @@ -1 +0,0 @@ -MD5 9040d3ec3eb295f5073ea43b39ccfe60 whois_4.6.2.tar.gz 34754 diff --git a/net-misc/whois/files/digest-whois-4.6.5 b/net-misc/whois/files/digest-whois-4.6.5 deleted file mode 100644 index 9c832f1996ea..000000000000 --- a/net-misc/whois/files/digest-whois-4.6.5 +++ /dev/null @@ -1 +0,0 @@ -MD5 2341ab2c39113d112d13ae34da85b7f6 whois_4.6.5.tar.gz 44532 diff --git a/net-misc/whois/files/digest-whois-4.6.6 b/net-misc/whois/files/digest-whois-4.6.6 deleted file mode 100644 index 36ed1f444de6..000000000000 --- a/net-misc/whois/files/digest-whois-4.6.6 +++ /dev/null @@ -1 +0,0 @@ -MD5 eceebd6e1aaa82b376eee30f59032662 whois_4.6.6.tar.gz 46077 diff --git a/net-misc/whois/files/digest-whois-4.6.6-r1 b/net-misc/whois/files/digest-whois-4.6.6-r1 new file mode 100644 index 000000000000..36ed1f444de6 --- /dev/null +++ b/net-misc/whois/files/digest-whois-4.6.6-r1 @@ -0,0 +1 @@ +MD5 eceebd6e1aaa82b376eee30f59032662 whois_4.6.6.tar.gz 46077 diff --git a/net-misc/whois/files/whois-4.6.6-gentoo-security.patch b/net-misc/whois/files/whois-4.6.6-gentoo-security.patch new file mode 100644 index 000000000000..fa1641fa3192 --- /dev/null +++ b/net-misc/whois/files/whois-4.6.6-gentoo-security.patch @@ -0,0 +1,86 @@ +diff -Nru whois-4.6.6.orig/whois.c whois-4.6.6/whois.c +--- whois-4.6.6.orig/whois.c 2003-06-15 12:36:52.000000000 -0400 ++++ whois-4.6.6/whois.c 2003-08-11 02:15:30.000000000 -0400 +@@ -73,12 +73,12 @@ + /* RIPE flags */ + if (strchr(ripeflags, ch)) { + for (p = fstring; *p; p++); +- sprintf(p--, "-%c ", ch); ++ snprintf(p--, sizeof(fstring), "-%c ", ch); + continue; + } + if (strchr(ripeflagsp, ch)) { + for (p = fstring; *p; p++); +- sprintf(p--, "-%c %s ", ch, optarg); ++ snprintf(p--, sizeof(fstring), "-%c %s ", ch, optarg); + if (ch == 't' || ch == 'v' || ch == 'q') + nopar = 1; + continue; +@@ -132,10 +132,10 @@ + while (1) { + qslen += strlen(*argv) + 1 + 1; + qstring = realloc(qstring, qslen); +- strcat(qstring, *argv++); ++ strncat(qstring, *argv++, qslen-1); + if (argc == 1) + break; +- strcat(qstring, " "); ++ strncat(qstring, " ", qslen); + argc--; + } + } +@@ -401,10 +401,13 @@ + { + char *buf; + int i, isripe = 0; ++ int buflen = 0; + + /* +10 for CORE; +2 for \r\n; +1 for NULL */ +- buf = malloc(strlen(flags) + strlen(query) + strlen(client_tag) + 4 +- + 10 + 2 + 1); ++ buflen = (strlen(flags) + strlen(query) + strlen(client_tag) + 4 + 10 + 2 + 1); ++ ++ buf = malloc(buflen); ++ + *buf = '\0'; + for (i = 0; ripe_servers[i]; i++) + if (strcmp(server, ripe_servers[i]) == 0) { +@@ -426,23 +429,23 @@ + if (*flags) { + if (!isripe && strcmp(server, "whois.corenic.net") != 0) + puts(_("Warning: RIPE flags used with a traditional server.")); +- strcat(buf, flags); ++ strncat(buf, flags, buflen); + } + /* FIXME: /e is not applied to .JP ASN */ + if (!isripe && (strcmp(server, "whois.nic.mil") == 0 || + strcmp(server, "whois.nic.ad.jp") == 0) && + strncasecmp(query, "AS", 2) == 0 && isasciidigit(query[2])) +- sprintf(buf, "AS %s", query + 2); /* fix query for DDN */ ++ snprintf(buf, buflen, "AS %s", query + 2); /* fix query for DDN */ + else if (!isripe && strcmp(server, "whois.corenic.net") == 0) +- sprintf(buf, "--machine %s", query); /* machine readable output */ ++ snprintf(buf, buflen, "--machine %s", query); /* machine readable output */ + else if (!isripe && strcmp(server, "whois.nic.ad.jp") == 0) { + char *lang = getenv("LANG"); /* not a perfect check, but... */ + if (!lang || (strncmp(lang, "ja", 2) != 0)) +- sprintf(buf, "%s/e", query); /* ask for english text */ ++ snprintf(buf, buflen, "%s/e", query); /* ask for english text */ + else +- strcat(buf, query); ++ strncat(buf, query, buflen); + } else +- strcat(buf, query); ++ strncat(buf, query, buflen); + return buf; + } + +@@ -485,7 +488,7 @@ + + if (verb) + printf(_("Detected referral to %s on %s.\n"), nq, nh); +- strcat(nq, "\r\n"); ++ strncat(nq, "\r\n", sizeof(nq)); + fd = openconn(nh, np); + do_query(fd, nq); + continue; -- cgit v1.2.3-65-gdbad