Making a diff between gzip 1.2.4 from OpenBSD 2.9 and gzip.org one i read: bash-2.05$ diff gzip.c /usr/src/gnu/usr.bin/gzip/gzip.c 48c48 < static char rcsid[] = "$Id: gzip.c,v 0.24 1993/06/24 10:52:07 jloup Exp $"; --- > static char rcsid[] = "$Id: gzip.c,v 1.4 1998/11/22 20:03:21 deraadt Exp $"; bash-2.05$ diff gzip.c /usr/src/gnu/usr.bin/gzip/gzip.c 48c48 < static char rcsid[] = "$Id: gzip.c,v 0.24 1993/06/24 10:52:07 jloup Exp $"; --- > static char rcsid[] = "$Id: gzip.c,v 1.4 1998/11/22 20:03:21 deraadt Exp $"; 524c524,530 < strcpy(z_suffix, optarg); --- > if (z_len > sizeof(z_suffix)-1) { > fprintf(stderr, "%s: -S suffix too long\n", progname); > usage(); > do_exit(ERROR); > } > strncpy(z_suffix, optarg, sizeof z_suffix-1); > z_suffix[sizeof z_suffix-1] = '\0'; 1008a1015,1021 > if (strlen(iname) >= sizeof(ifname) - 3) { > errno = ENAMETOOLONG; > perror(iname); > exit_code = ERROR; > return ERROR; > } > 1576d1588 < (void) chmod(ofname, 0777); 1636d1647 < (void) chmod(ifname, 0777); There are two missing sanity check in gnu original gzip, one according to GomoR is in the suffix code, the other is in the input name checking in function get_istat(). The correct code from OpenBSD 2.9 is: if (strlen(iname) >= sizeof(ifname) - 3) { errno = ENAMETOOLONG; perror(iname); exit_code = ERROR; return ERROR; } strcpy(ifname, iname); while in the vulnerable gzip there isn't the if statement. Instead, strcpy(nbuf,dir) in treat_dir() have a sanity check in both versions: if (len + NLENGTH(dp) + 1 < MAX_PATH_LEN - 1) { strcpy(nbuf,dir); so the problem isn't here. Debian is also unaffected 'cause gzip_1.2.4-33.diff adds the same if statement in gzip.c --- sy4n
This archive was generated by hypermail 2b30 : Mon Nov 19 2001 - 17:03:02 PST