Re: ELM overflow

security@home.bti.pl
Wed, 14 May 1997 15:10:46 +0200

On Tue, 13 May 1997, Wojciech Swieboda wrote:

> Hello,
> I've lately found an overflow vulnerability in Elm (Elm is setgid
> mail on linux, and perhaps on some other platforms aswell). I've tested this
> bug on versions 2.3 and 2.4, on 3 different Linux installations.
> from Elm 2.3's curses.c:
> [...]
> char termname[40];
> char *strcpy(), *getenv();
>
> if (getenv("TERM") == NULL) return(-1);
>
> if (strcpy(termname, getenv("TERM")) == NULL)
> return(-1);
> [...]
> to patch, change the strcpy line to
> if (strncpy(termname, getenv("TERM"), sizeof(termname)) == NULL)
>
To patch it on Elm 2.4, change:

[...]
if (strcpy(termname, termenv) == NULL)
return (-1);

to:
[...]
if (strncpy(termname, termenv, sizeof(termname)) == NULL)
return (-1);

-Grych