Making a diff between gzip 1.2.4 from OpenBSD 2.9 and gzip.org one i read:
bash-2.05$ diff gzip.c /usr/src/gnu/usr.bin/gzip/gzip.c
48c48
< static char rcsid[] = "$Id: gzip.c,v 0.24 1993/06/24 10:52:07 jloup Exp
$";
---
> static char rcsid[] = "$Id: gzip.c,v 1.4 1998/11/22 20:03:21 deraadt Exp
$";
bash-2.05$ diff gzip.c /usr/src/gnu/usr.bin/gzip/gzip.c
48c48
< static char rcsid[] = "$Id: gzip.c,v 0.24 1993/06/24 10:52:07 jloup Exp
$";
---
> static char rcsid[] = "$Id: gzip.c,v 1.4 1998/11/22 20:03:21 deraadt Exp
$";
524c524,530
< strcpy(z_suffix, optarg);
---
> if (z_len > sizeof(z_suffix)-1) {
> fprintf(stderr, "%s: -S suffix too long\n", progname);
> usage();
> do_exit(ERROR);
> }
> strncpy(z_suffix, optarg, sizeof z_suffix-1);
> z_suffix[sizeof z_suffix-1] = '\0';
1008a1015,1021
> if (strlen(iname) >= sizeof(ifname) - 3) {
> errno = ENAMETOOLONG;
> perror(iname);
> exit_code = ERROR;
> return ERROR;
> }
>
1576d1588
< (void) chmod(ofname, 0777);
1636d1647
< (void) chmod(ifname, 0777);
There are two missing sanity check in gnu original gzip, one according to
GomoR is in the suffix code, the other is in the input name checking in
function get_istat().
The correct code from OpenBSD 2.9 is:
if (strlen(iname) >= sizeof(ifname) - 3) {
errno = ENAMETOOLONG;
perror(iname);
exit_code = ERROR;
return ERROR;
}
strcpy(ifname, iname);
while in the vulnerable gzip there isn't the if statement.
Instead, strcpy(nbuf,dir) in treat_dir() have a sanity check in both
versions:
if (len + NLENGTH(dp) + 1 < MAX_PATH_LEN - 1) {
strcpy(nbuf,dir);
so the problem isn't here.
Debian is also unaffected 'cause gzip_1.2.4-33.diff adds the same if
statement in gzip.c
---
sy4n
This archive was generated by hypermail 2b30 : Mon Nov 19 2001 - 17:03:02 PST