| commit | 1db15a35432b9b954b5b14288f6a1a0f3a568646 | |
| author | Tobias Stoeckmann <tobias@openbsd.org> | |
| Sun, 18 Feb 2007 13:48:33 +0000 (18 14:48 +0100) | ||
| committer | Carlos R. Mafra <crmafra@gmail.com> | |
| Fri, 21 Aug 2009 10:13:12 +0000 (21 12:13 +0200) | ||
| tree | bf0674619c154ab28f8ca00526e3e7835f2d5c16 | treesnapshot (tar.gz zip) |
| parent | c970c94f82e7120f39eebbe8a7fc988d73458d6d | commitdiff |
Fix multiple errors in findfile.c
Problems:
1.
During expansion of path, the resulting path can overflow the supplied
area of PATH_MAX+2 (buffer as well as buffer2). A tampered environment
variable can be used to modify program flow.
Proof:
[note: wmaker has been compiled with propolice]
$ export A="[tested with 4096x A]"
$ GNUSTEP_USER_ROOT="\$A\$A/\$A/\$A/" wmaker --for-real
*** stack smashing detected ***: wmaker terminated
Aborted
2.
Way too many functions handle a return value of NULL for wexpandpath
improperly, resulting in segfaults (and maybe other problems). To
prove the existance of these issues:
Proof:
$ GNUSTEP_USER_ROOT=~nouser wmaker --for-real
wmaker error: could not get password entry for user nouser: Success
Segmentation fault
Solution:
hard exit with error message about what is going on.
3.
The improper parsing of environment variables can lead to expansion
of path names that were not intended to be expanded.
(a) If a string like "$(var" is found, Window Maker tries to expand "var"
(environment variable) although the syntax is wrong.
Proof:
$ export PROOF=foo
$ GNUSTEP_USER_ROOT=/\$\(PROOF wmaker --for-real
wmaker warning: could not find user GNUstep directory (/foo/Defaults/WindowMaker).
(b) If the variable out of a) cannot be resolved, a closing bracket will be
added.
Proof:
$ unset PROOF
$ GNUSTEP_USER_ROOT=/\$\(PROOF wmaker --for-real
./wmaker warning: could not find user GNUstep directory ($(PROOF)/Defaults/WindowMaker).
Author: Tobias Stoeckmann
Retrieved-from: http://paldium.homeunix.org/tobias/wmaker/
Submitted-by: Gilbert Ashley <amigo@ibiblio.org>
Problems:
1.
During expansion of path, the resulting path can overflow the supplied
area of PATH_MAX+2 (buffer as well as buffer2). A tampered environment
variable can be used to modify program flow.
Proof:
[note: wmaker has been compiled with propolice]
$ export A="[tested with 4096x A]"
$ GNUSTEP_USER_ROOT="\$A\$A/\$A/\$A/" wmaker --for-real
*** stack smashing detected ***: wmaker terminated
Aborted
2.
Way too many functions handle a return value of NULL for wexpandpath
improperly, resulting in segfaults (and maybe other problems). To
prove the existance of these issues:
Proof:
$ GNUSTEP_USER_ROOT=~nouser wmaker --for-real
wmaker error: could not get password entry for user nouser: Success
Segmentation fault
Solution:
hard exit with error message about what is going on.
3.
The improper parsing of environment variables can lead to expansion
of path names that were not intended to be expanded.
(a) If a string like "$(var" is found, Window Maker tries to expand "var"
(environment variable) although the syntax is wrong.
Proof:
$ export PROOF=foo
$ GNUSTEP_USER_ROOT=/\$\(PROOF wmaker --for-real
wmaker warning: could not find user GNUstep directory (/foo/Defaults/WindowMaker).
(b) If the variable out of a) cannot be resolved, a closing bracket will be
added.
Proof:
$ unset PROOF
$ GNUSTEP_USER_ROOT=/\$\(PROOF wmaker --for-real
./wmaker warning: could not find user GNUstep directory ($(PROOF)/Defaults/WindowMaker).
Author: Tobias Stoeckmann
Retrieved-from: http://paldium.homeunix.org/tobias/wmaker/
Submitted-by: Gilbert Ashley <amigo@ibiblio.org>
| WINGs/findfile.c | diffblobblamehistory |