Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: GNU Sharutils buffer overflow vulnerability.

Re: GNU Sharutils buffer overflow vulnerability.

From: Dan Yefimov <dan_at_D00M.integrate.com.ru>
Date: Sun, 11 Apr 2004 00:14:48 +0400 (MSD)

On Tue, 6 Apr 2004, [iso-8859-1] Shaun Colley wrote:

> I have written a simple patch below to fix the buffer
> overflow bug:
>
>
> --- shar-bof.patch ---
>
> --- shar.1.c 2004-04-06 16:26:55.000000000 +0100
> +++ shar.c 2004-04-06 16:32:32.000000000 +0100
> @@ -1905,7 +1905,7 @@
> break;
>
> case 'o':
> - strcpy (output_base_name, optarg);
> + strncpy (output_base_name, optarg,
> sizeof(output_base_name));
> if (!strchr (output_base_name, '%'))
> strcat (output_base_name, ".%02d");
> part_number = 0;
> --- EOF ---
>
Your patch isn't quite correct since you at least forgot about
strcat(output_base_name, ".%02d") following patched code. You didn't also
notice subsequent using output_base_name as a format string which may produce
overflow of output_filename[] because of unnoticed percent symbols passed in.
Attached a patch accounting for that. 

-- 
    Sincerely Your, Dan.

Received on Apr 11 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]