On Sun, Nov 18, 2001 at 09:04:31PM +0300, Yaroslav Klyukin wrote: > vuln-dev pisal(a): > > > GOBBLES security is happy to announce the discovery of multiple bugs in > > /bin/gzip, which can be exploited remotely with a bit of creativity. > > Attached is our advisory on the matter. > > Hey, I have tried > > /bin/gzip `perl -e 'print "A" x 2048'` > > On Linux and FreeBSD > It didn't work. On FreeBSD 4-STABLE, there is the following code in gzip.c, 1.8 (wosch 27-Dec-97): if (strlen(iname) >= sizeof(ifname) - 3) { 1.8 (wosch 27-Dec-97): errno = ENAMETOOLONG; 1.8 (wosch 27-Dec-97): perror(iname); 1.8 (wosch 27-Dec-97): exit_code = ERROR; 1.8 (wosch 27-Dec-97): return ERROR; 1.8 (wosch 27-Dec-97): } 1.1 (nate 18-Jun-93): 1.1 (nate 18-Jun-93): strcpy(ifname, iname); So that's been fixed for a little under four years. As for the particular strcpy(3) quoted in the original mail, > strcpy(nbuf,dir) 1.1 (nate 18-Jun-93): len = strlen(dir); 1.1 (nate 18-Jun-93): if (len + NLENGTH(dp) + 1 < MAX_PATH_LEN - 1) { 1.1 (nate 18-Jun-93): strcpy(nbuf,dir); The length was actually checked first in the original '93 import. -- Crist J. Clark | cjclarkat_private | cjclarkat_private http://people.freebsd.org/~cjc/ | cjcat_private
This archive was generated by hypermail 2b30 : Mon Nov 19 2001 - 08:54:15 PST