Security hole in rusers client

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Kristof Van Damme: "SSH LocalForward"
• Previous message: thoth@PURPLEFROG.COM: "Re: INND causes cancer in laboratory rats (fwd)"

-----BEGIN PGP SIGNED MESSAGE-----

Thanks to David Sacerdote of OpenBSD for pointing me in the general
direction of this one.

Patch against netkit-rusers-0.10 follows. netkit-rusers-0.11 will
appear shortly.

If you don't have pgp and don't know how to un-pgp a patch mail me and
I'll send you an unsigned one.

*** rusers.c 1997/04/05 22:26:22 1.9
- --- rusers.c 1997/08/02 15:53:44
***************
*** 155,174 ****
days, hours, minutes, seconds);
}

strncpy(remote, up->uia_arr[x]->ui_utmp.ut_host,
! sizeof(remote)-1);
if (strlen(remote) != 0)
sprintf(remote, "(%.16s)",
up->uia_arr[x]->ui_utmp.ut_host);

if (longopt) {
! strncpy(local, host, sizeof(local));
! local[sizeof(local)-1] = 0;
! local[HOST_WIDTH + LINE_WIDTH + 1 -
! strlen(up->uia_arr[x]->ui_utmp.ut_line) - 1] = 0;
! strcat(local, ":");
! strcat(local, up->uia_arr[x]->ui_utmp.ut_line);

printf("%-8.8s %-*.*s %-12.12s %8s %.18s\n",
up->uia_arr[x]->ui_utmp.ut_name,
HOST_WIDTH+LINE_WIDTH+1, HOST_WIDTH+LINE_WIDTH+1, local,
- --- 155,186 ----
days, hours, minutes, seconds);
}

strncpy(remote, up->uia_arr[x]->ui_utmp.ut_host,
! sizeof(remote)-1);
! remote[sizeof(remote)-1] = 0;
!
if (strlen(remote) != 0)
sprintf(remote, "(%.16s)",
up->uia_arr[x]->ui_utmp.ut_host);

if (longopt) {
! /* Fit into HOST_WIDTH+LINE_WIDTH+1 chars */
! int len1 = strlen(host);
! int len2 = strlen(up->uia_arr[x]->ui_utmp.ut_line);
! if (len1 + len2 > HOST_WIDTH+LINE_WIDTH+1) {
! int excess = len1 + len2 - HOST_WIDTH-LINE_WIDTH-1;
! if (excess < len1) len1 -= excess;
! else if (excess < len2) len2 -= excess;
! else {
! /* Hmm. Probably an attack... */
! len1 = HOST_WIDTH;
! len2 = LINE_WIDTH;
! }
! }
! snprintf(local, sizeof(local),
! "%-.*s:%-.*%s", len1, host, len2,
! up->uia_arr[x]->ui_utmp.ut_line);

printf("%-8.8s %-*.*s %-12.12s %8s %.18s\n",
up->uia_arr[x]->ui_utmp.ut_name,
HOST_WIDTH+LINE_WIDTH+1, HOST_WIDTH+LINE_WIDTH+1, local,

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM+Nd8zx1dyEHyT51AQGsYgQAqD+UPi73zrvCYP1Ryve6b78HW+v9aAdX
NMV5eSL0PrzZpkXuB729d9LGDB5DQVx4wud5dsV4t8VYaHXhyi2r/h0xWPAQtapf
yuQKmSuYqYqiU7L02sQfpZn6hCSvbg89H+fIv9yfzp3fVhBysl3ba7UpKzmvLq6v
2ojnl95pwKY=
=lnFR
-----END PGP SIGNATURE-----

--
   - David A. Holland             |    VINO project home page:
     dholland@eecs.harvard.edu    | http://www.eecs.harvard.edu/vino

• Next message: Kristof Van Damme: "SSH LocalForward"
• Previous message: thoth@PURPLEFROG.COM: "Re: INND causes cancer in laboratory rats (fwd)"