[FreeVMS] Potential Security Bugs in Freevms

Lun 14 Mai 09:12:10 CEST 2007

george john a écrit :
> Hello ,

	Hello,

> I found the following security bugs in your projects "Freevms" which was hosted in freshmeat.net

	Thanks for your feedback. I post your contribution on mailing list.

> 1.
> 
> /backup/src/vmsbackup.c 241 gets()
> 
>  Does not check for buffer overflows.

	This patch should fix this buffer overflow.

--- vmsbackup.c 2001-11-12 13:09:00.000000000 +0100
+++ vmsbackup-patch.c   2007-05-14 09:08:39.000000000 +0200
@@ -238,7 +238,7 @@
         if(procf && wflag) {
                 printf("extract %s [ny]",filename);
                 fflush(stdout);
-               gets(ans);
+               fgets(ans, 1, stdin);
                 if(*ans != 'y') procf = 0;
         }
         if(procf)


> 2.
> 
> /cmuip/ipacp/src/nfs.c : 788 chown
> 
> This accepts filename arguments; if an attacker can move those files, a race condition results. 
> 
> 3.
> 
> projects/freevms/cmuip/ipacp/src/nfs.c:813:  [5] (race) chmod:  
> 
> This accepts filename arguments; if an attacker can move those files,  a race condition results.
> 
> 4.
> 
> projects/freevms/cmuip/ipacp/src/nfs.c:1629:  [5] (race) chown:
> 
> This accepts filename arguments; if an attacker can move those files,   a race condition results. 

	True. We have to fix this.

> 5.
> 
> projects/freevms/examples/crec.c:135:  [5] (buffer) gets:
> 
> Does not check for buffer overflows. 
> 
> 6.
> 
> projects/freevms/examples/crec.c:147:  [5] (buffer) gets:
> 
> Does not check for buffer overflows. 
> 
> 7.
> 
> projects/freevms/examples/crec.c:178:  [5] (buffer) gets:
> 
> Does not check for buffer overflows. 
> 
> 8.
> 
> projects/freevms/examples/crec.c:191:  [5] (buffer) gets:
> 
> Does not check for buffer overflows.

	This file is in example directory, not in kernel source tree.

	Regards,

	JKB

