Subject: pkg/22687: security patch for socks5
To: None <gnats-bugs@gnats.netbsd.org>
From: None <wolfgang@wsrcc.com>
List: netbsd-bugs
Date: 09/04/2003 14:32:59
>Number: 22687
>Category: pkg
>Synopsis: security patch for socks5
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Sep 04 21:33:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator: Wolfgang S. Rupprecht
>Release: NetBSD 1.6L
>Organization:
W S Rupprecht Computer Consulting, Fremont CA
>Environment:
System: NetBSD capsicum.wsrcc.com 1.6L NetBSD 1.6L (WSRCC_ATHLON) #0: Sat Aug 30 09:46:07 PDT 2003 wolfgang@capsicum.wsrcc.com:/u/src/netbsd/src-20030118/src/sys/arch/i386/compile/WSRCC_ATHLON i386
Architecture: i386
Machine: i386
>Description:
The socks5 package is very nicely marked as "don't use unless
you want to get r00ted", but the simple buffer overflow patch
given in the security advisory is not applied.
>How-To-Repeat:
read: http://www.securityfocus.com/archive/1/9842
check lib/log.c and notice that this patch hasn't been applied.
>Fix:
Add this to the socks patch directory (recommended name patch-3l33t)
and "make makepatchsum".
--- lib/log.c.orig Wed Jun 18 09:32:05 1997
+++ lib/log.c Thu Sep 4 14:22:36 2003
@@ -77,7 +77,8 @@
}
void S5LogvUpdate(const void *handle, int level, int msgID, const char *oformat, va_list pvar) {
- char fmt_cpy[2*1024 + 2*10], format[2*1024 + 2*10];
+#define FMT_BUFLEN (2*1024 + 2*10)
+ char fmt_cpy[FMT_BUFLEN], format[FMT_BUFLEN];
S5LogHandle *h = (S5LogHandle *)handle;
int serrno = GETERRNO();
static int dontLoop = 0;
@@ -112,7 +113,9 @@
strcat(format, " ");
replacePercentM(oformat, format + strlen(format), sizeof(format) - strlen(format));
- vsprintf(fmt_cpy, format, pvar);
+ if(vsnprintf(fmt_cpy, FMT_BUFLEN-1,format, pvar)==-1) {
+ fmt_cpy[FMT_BUFLEN-1]='\0';
+ }
/* Log to the Local log facility, e.g. Stderr on Unix and maybe a window */
/* or something on NT. Neither system can deal with a NULL format so */
>Release-Note:
>Audit-Trail:
>Unformatted: