ports/163274: fix some latent buffer overflow bug

Tsurutani Naoki turutani at scphys.kyoto-u.ac.jp
Wed Dec 14 08:20:08 UTC 2011 

>Number:         163274
>Category:       ports
>Synopsis:       fix some latent buffer overflow bug
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 14 08:20:07 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Tsurutani Naoki
>Release:        FreeBSD 8.2-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD h120.65.226.10.32118.vlan.kuins.net 8.2-PRERELEASE FreeBSD 8.2-PRERELEASE #25: Mon Jan 24 10:37:18 JST 2011 turutani at h120.65.226.10.32118.vlan.kuins.net:/usr/local/work/usr/obj/usr/src/sys/POLYMER i386


	
>Description:
	games/xshisen contains a buffer overflow vulnerability about
	GECOS field.
	also fix a bug arround high-score.
	
>How-To-Repeat:
	
>Fix:
	here are some patches:

--- components.h.orig	2002-07-07 16:34:23.000000000 +0900
+++ components.h	2011-12-07 11:31:45.000000000 +0900
@@ -61,6 +61,8 @@
 #define HNUM  (PKIND*2)      // Number of pairs to pick up
 #define SCORENUM  10         // Number of people to register in high-score
 #define NAMELEN   28         // Length of name in high-score
+#define NBUFLEN  127         // Length of namebuf-1
+#define GECOSLEN (NBUFLEN-12)    // Length for GECOS field-1
 
 class Timer {
 private:

--- score.C.orig	2002-06-16 00:20:30.000000000 +0900
+++ score.C	2011-12-14 16:34:35.000000000 +0900
@@ -73,7 +73,7 @@
     date[8] = '\0';
     strncpy(time, &buffer[53], 8);
     time[8] = '\0';
-    if (date[0] == '1') {
+    if (date[3] == '-') {
         for(int i=1; i<8; i++) {
             date[i-1] = date[i];
         }
@@ -372,12 +372,12 @@
     time_t t;
     struct tm *tp;
     struct passwd *pw;
-    char   namebuf[128], myname[NAMELEN+1], gecos[128], *po;
+    char   namebuf[NBUFLEN+1], myname[NAMELEN+1], gecos[GECOSLEN+1], *po;
 
     s1 = scoreToRegister / 1000;
     ms_to_hms(scoreToRegister, h, m, s);
     pw = getpwuid(getuid());
-    strcpy(gecos, pw->pw_gecos);
+    strncpy(gecos, pw->pw_gecos, GECOSLEN);
     if ((po = strchr(gecos, ',')) != NULL)
         *po = 0;
     sprintf(namebuf, "%-8.8s (%s)", pw->pw_name, gecos);

--- main.C.orig	2002-07-07 16:33:55.000000000 +0900
+++ main.C	2011-12-07 11:56:13.000000000 +0900
@@ -210,7 +210,7 @@
     char buffer[100], *p;
     char *(*codeconv)(const char*);
 
-    strcpy(buffer, operation);
+    strncpy(buffer, operation, 99);
     if (strchr(buffer, '-') == NULL) {
         strcat(buffer, "-" KANJICODE);
     }
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list