Handling security issues?
Thierry Reding
thierry at doppeltgemoppelt.de
Thu Feb 9 07:41:24 UTC 2006
* Steve Kemp wrote:
[...]
> void SchreibeKonfiguration(){
> FILE *f;
> #ifndef _WIN32
> char dateiname[40];
> sprintf(dateiname,"%s/.BillardGL.conf.v7",getenv("HOME"));
> f=fopen(dateiname,"w+");
> #endif
> ...
> ...
> }
>
> void LeseKonfiguration(){
> FILE *f;
> #ifndef _WIN32
> char dateiname[40];
> sprintf(dateiname,"%s/.BillardGL.conf.v7",getenv("HOME"));
> f=fopen(dateiname,"r");
> ...
> ...
> }
>
> Both of these sections of code contain the same flaw. The copying
> of the contents of the environmental variable 'HOME' into a fixed
> size buffer "dateiname", without testing for overflows.
>
> The code could be fixed by using this instead:
>
> memset(dateiname,'\0',sizeof(dateiname));
> snprintf(dateiname,sizeof(dateiname)-1,"%s/.BillardGL.conf.v7",getenv("HOME"));
Sorry for taking the fun out of the practice, but those security issues have
already been fixed in `debian/patches/03_config_buffer_overflows.dpatch'.
Maybe this is another good argument against using a patch system for packages
already in SVN. The same thing actually happened to me once as well while
testing a build using plain `make'. Since this didn't apply any patches from
the `debian/patches' directory, I was left clueless for a couple of minutes
as to why things were going wrong compared to building with dpkg-buildpackage.
Thierry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20060209/37f7a829/attachment.pgp
More information about the Pkg-games-devel
mailing list