On Sun, Nov 18, 2001 at 09:04:31PM +0300, Yaroslav Klyukin wrote:
> vuln-dev pisal(a):
>
> > GOBBLES security is happy to announce the discovery of multiple bugs in
> > /bin/gzip, which can be exploited remotely with a bit of creativity.
> > Attached is our advisory on the matter.
>
> Hey, I have tried
>
> /bin/gzip `perl -e 'print "A" x 2048'`
>
> On Linux and FreeBSD
> It didn't work.
On FreeBSD 4-STABLE, there is the following code in gzip.c,
1.8 (wosch 27-Dec-97): if (strlen(iname) >= sizeof(ifname) - 3) {
1.8 (wosch 27-Dec-97): errno = ENAMETOOLONG;
1.8 (wosch 27-Dec-97): perror(iname);
1.8 (wosch 27-Dec-97): exit_code = ERROR;
1.8 (wosch 27-Dec-97): return ERROR;
1.8 (wosch 27-Dec-97): }
1.1 (nate 18-Jun-93):
1.1 (nate 18-Jun-93): strcpy(ifname, iname);
So that's been fixed for a little under four years.
As for the particular strcpy(3) quoted in the original mail,
> strcpy(nbuf,dir)
1.1 (nate 18-Jun-93): len = strlen(dir);
1.1 (nate 18-Jun-93): if (len + NLENGTH(dp) + 1 < MAX_PATH_LEN - 1) {
1.1 (nate 18-Jun-93): strcpy(nbuf,dir);
The length was actually checked first in the original '93 import.
--
Crist J. Clark | cjclarkat_private
| cjclarkat_private
http://people.freebsd.org/~cjc/ | cjcat_private
This archive was generated by hypermail 2b30 : Mon Nov 19 2001 - 08:54:15 PST