current-users: Re: vixie-crontab vunerable?

Subject: Re: vixie-crontab vunerable?
To: John F. Woods <jfw@jfwhome.funhouse.com>
From: Jason Downs <downsj@teeny.org>
List: current-users
Date: 12/16/1996 10:37:36

In message <199612161604.LAA12428@jfwhome.funhouse.com>,
	"John F. Woods" writes:
>>	Does anyone know if we vunerable to this?
>
>Yes.  load_env() needs to limit the length of the name of variables to
>MAX_TEMPSTR (100); it currently only checks that the length of the name+value
>is less than MAX_ENVSTR (1000).
>
>There's a whole bunch of fixed-length stack char arrays in cron that look ripe
>for exploits :-(.

You could, of course, start by diffing against the OpenBSD source.  Lots
of people have been through there fixing holes.  It would save you some work.

Just stay away from the FreeBSD 'fixes'.  They have this inane idea that
they should use snprintf() for copying strings.

--
Jason Downs		   (503) 256-8535 -/- (503) 952-3749
downsj@teeny.org  --> teeny.org: Free Software for a Free Internet <--
			     http://www.teeny.org/
	   This ain't no steeenking NetBSD.  http://www.openbsd.org/