diff -u -rN osh-1.7/debian/changelog osh-1.7-modified/debian/changelog
--- osh-1.7/debian/changelog Sun Feb 6 13:57:01 2005
+++ osh-1.7-modified/debian/changelog Sun Feb 6 13:57:19 2005
@@ -1,3 +1,12 @@
+osh (1.7-13) unstable; urgency=high
+
+ * urgency set to high because this version fixes a buffer overflow
+ that causes unauthorized privilege escalation (thanks to Charles Stevenson
+ <[EMAIL PROTECTED]> for the bug report)
+ * main.c: s/strcpy/strncpy/ and s/strcat/strncat/ to avoid a buffer overflow
+
+ -- Oohara Yuuma <[EMAIL PROTECTED]> Sun, 6 Feb 2005 13:36:02 +0900
+
osh (1.7-12) unstable; urgency=high
* urgency set to high because this version fixes a buffer overflow
diff -u -rN osh-1.7/main.c osh-1.7-modified/main.c
--- osh-1.7/main.c Sun Feb 6 13:57:01 2005
+++ osh-1.7-modified/main.c Sun Feb 6 13:57:19 2005
@@ -305,12 +305,18 @@
if (strcmp(Table[++i].prog_name,argv[1])==0) { found=1; break; }
if (found) { /* It's a command, input is a string */
inputfp=(FILE *)1;
- strcpy(inputstring, argv[1]);
+ strncpy(inputstring, argv[1], sizeof(inputstring));
+ inputstring[sizeof(inputstring) - 1] = '\0';
for (i=3;i<=argc;i++) {
- strcat(inputstring, " ");
- strcat(inputstring, argv[i-1]);
+ strncat(inputstring, " ", sizeof(inputstring) - strlen(inputstring));
+ inputstring[sizeof(inputstring) - 1] = '\0';
+ strncat(inputstring, argv[i-1],
+ sizeof(inputstring) - strlen(inputstring));
+ inputstring[sizeof(inputstring) - 1] = '\0';
}
- strcat(inputstring, "\n"); /* So it's a command */
+ /* So it's a command */
+ strncat(inputstring, "\n", sizeof(inputstring) - strlen(inputstring));
+ inputstring[sizeof(inputstring) - 1] = '\0';
} else { /* It's a file, input is that file */
if (access(argv[1], R_OK)) {
fprintf(stderr,"No access to shell script\n");
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
