[FreeVMS] Potential Security Bugs in Freevms
BERTRAND Joël
joel.bertrand at systella.fr
Lun 14 Mai 09:12:10 CEST 2007
george john a écrit :
> Hello ,
Hello,
> I found the following security bugs in your projects "Freevms" which was hosted in freshmeat.net
Thanks for your feedback. I post your contribution on mailing list.
> 1.
>
> /backup/src/vmsbackup.c 241 gets()
>
> Does not check for buffer overflows.
This patch should fix this buffer overflow.
--- vmsbackup.c 2001-11-12 13:09:00.000000000 +0100
+++ vmsbackup-patch.c 2007-05-14 09:08:39.000000000 +0200
@@ -238,7 +238,7 @@
if(procf && wflag) {
printf("extract %s [ny]",filename);
fflush(stdout);
- gets(ans);
+ fgets(ans, 1, stdin);
if(*ans != 'y') procf = 0;
}
if(procf)
> 2.
>
> /cmuip/ipacp/src/nfs.c : 788 chown
>
> This accepts filename arguments; if an attacker can move those files, a race condition results.
>
> 3.
>
> projects/freevms/cmuip/ipacp/src/nfs.c:813: [5] (race) chmod:
>
> This accepts filename arguments; if an attacker can move those files, a race condition results.
>
> 4.
>
> projects/freevms/cmuip/ipacp/src/nfs.c:1629: [5] (race) chown:
>
> This accepts filename arguments; if an attacker can move those files, a race condition results.
True. We have to fix this.
> 5.
>
> projects/freevms/examples/crec.c:135: [5] (buffer) gets:
>
> Does not check for buffer overflows.
>
> 6.
>
> projects/freevms/examples/crec.c:147: [5] (buffer) gets:
>
> Does not check for buffer overflows.
>
> 7.
>
> projects/freevms/examples/crec.c:178: [5] (buffer) gets:
>
> Does not check for buffer overflows.
>
> 8.
>
> projects/freevms/examples/crec.c:191: [5] (buffer) gets:
>
> Does not check for buffer overflows.
This file is in example directory, not in kernel source tree.
Regards,
JKB
Plus d'informations sur la liste de diffusion FreeVMS