Author: rmeggins
Update of /cvs/dirsec/setuputil/installer/unix/lib
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15054/setuputil/installer/unix/lib
Modified Files:
dialog.cc ux-curse.c ux-util.cc ux-wrapper.cc
Log Message:
Bug(s) fixed: 186280
Bug Description: Close potential security vulnerabilities in CGI code
Reviewed by: Nathan & Noriko (Thanks!)
Fix Description: Mostly cleaned up usage of sprintf.
Platforms tested: Fedora Core 5
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
Index: dialog.cc
===================================================================
RCS file: /cvs/dirsec/setuputil/installer/unix/lib/dialog.cc,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- dialog.cc 29 Jul 2005 22:16:32 -0000 1.1.1.1
+++ dialog.cc 23 Mar 2006 15:59:22 -0000 1.2
@@ -28,6 +28,17 @@
** HISTORY
**
** $Log$
+** Revision 1.2 2006/03/23 15:59:22 rmeggins
+** Bug(s) fixed: 186280
+** Bug Description: Close potential security vulnerabilities in CGI code
+** Reviewed by: Nathan & Noriko (Thanks!)
+** Fix Description: Mostly cleaned up usage of sprintf.
+** Platforms tested: Fedora Core 5
+** Flag Day: no
+** Doc impact: no
+** QA impact: should be covered by regular nightly and manual testing
+** New Tests integrated into TET: none
+**
** Revision 1.1.1.1 2005/07/29 22:16:32 foxworth
** Importing new setup sdk for open source project
**
@@ -347,7 +358,11 @@
if (_enable8BitInput)
{
utf8Buf = localToUTF8(_buf);
- strcpy(_buf, utf8Buf);
+ strncpy(_buf, utf8Buf, _bufLen);
+ if (!memchr(_buf, 0, _bufLen)) { /* string is not null terminated */
+ _buf[0] = 0; /* erase to avoid using improperly formed utf8 */
+ rc = 0;
+ }
free(utf8Buf);
}
}
@@ -411,12 +426,14 @@
ans = UTF8ToLocal(_defaultAns.data());
else
ans = strdup((const char *) _defaultAns);
- sprintf(tstr, " [%s]: ", ans);
+ snprintf(tstr, sizeof(tstr), " [%s]: ", ans);
+ tstr[sizeof(tstr)-1] = 0;
free(ans);
}
else
{
- sprintf(tstr, "%c ", ':');
+ snprintf(tstr, sizeof(tstr), "%c ", ':');
+ tstr[sizeof(tstr)-1] = 0;
_buf[0] = 0;
}
printw(tstr);
Index: ux-curse.c
===================================================================
RCS file: /cvs/dirsec/setuputil/installer/unix/lib/ux-curse.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- ux-curse.c 29 Jul 2005 22:16:32 -0000 1.1.1.1
+++ ux-curse.c 23 Mar 2006 15:59:22 -0000 1.2
@@ -56,8 +56,9 @@
va_list arg;
va_start(arg, msg);
- vsprintf(errbuf, msg, arg);
+ vsnprintf(errbuf, sizeof(errbuf), msg, arg);
va_end(arg);
+ errbuf[sizeof(errbuf)-1] = 0;
printw(errbuf);
printw("Press any key to continue.\n");
refresh();
@@ -72,8 +73,9 @@
va_list arg;
va_start(arg, msg);
- vsprintf(errbuf, msg, arg);
+ vsnprintf(errbuf, sizeof(errbuf), msg, arg);
va_end(arg);
+ errbuf[sizeof(errbuf)-1] = 0;
getyx(stdscr, y, x);
Index: ux-util.cc
===================================================================
RCS file: /cvs/dirsec/setuputil/installer/unix/lib/ux-util.cc,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- ux-util.cc 29 Jul 2005 22:16:33 -0000 1.1.1.1
+++ ux-util.cc 23 Mar 2006 15:59:22 -0000 1.2
@@ -27,6 +27,17 @@
** UNIX Only
** HISTORY:
** $Log$
+** Revision 1.2 2006/03/23 15:59:22 rmeggins
+** Bug(s) fixed: 186280
+** Bug Description: Close potential security vulnerabilities in CGI code
+** Reviewed by: Nathan & Noriko (Thanks!)
+** Fix Description: Mostly cleaned up usage of sprintf.
+** Platforms tested: Fedora Core 5
+** Flag Day: no
+** Doc impact: no
+** QA impact: should be covered by regular nightly and manual testing
+** New Tests integrated into TET: none
+**
** Revision 1.1.1.1 2005/07/29 22:16:33 foxworth
** Importing new setup sdk for open source project
**
@@ -291,7 +302,8 @@
NSString hn;
NVPair *admconf;
- sprintf(tstr, "%s/%s", sroot, DEFAULT_ADMINCONF);
+ snprintf(tstr, sizeof(tstr), "%s/%s", sroot, DEFAULT_ADMINCONF);
+ tstr[sizeof(tstr)-1] = 0;
admconf = new NVPair(tstr);
@@ -371,7 +383,8 @@
NVPair *ssconf;
NSString ssUser;
- sprintf(tstr, "%s/%s", sroot, DEFAULT_SSUSERCONF);
+ snprintf(tstr, sizeof(tstr), "%s/%s", sroot, DEFAULT_SSUSERCONF);
+ tstr[sizeof(tstr)-1] = 0;
ssconf = new NVPair(tstr);
@@ -411,7 +424,8 @@
NVPair *ssconf;
NSString ssGroup;
- sprintf(tstr, "%s/%s", sroot, DEFAULT_SSUSERCONF);
+ snprintf(tstr, sizeof(tstr), "%s/%s", sroot, DEFAULT_SSUSERCONF);
+ tstr[sizeof(tstr)-1] = 0;
ssconf = new NVPair(tstr);
@@ -450,7 +464,8 @@
NVPair admpw;
const char *pwd = NULL;
- sprintf(temp, "%s/admin-serv/config/adm.conf", serverRoot);
+ snprintf(temp, sizeof(temp), "%s/admin-serv/config/adm.conf", serverRoot);
+ temp[sizeof(temp)-1] = 0;
admpw.setFormat(2);
admpw.read(temp);
@@ -489,12 +504,13 @@
if (uname(&sysname) >= 0)
{
#if defined(IRIX) /* I want IRIX, not IRIX64 */
- sprintf(tstr, "%s%s", "IRIX", sysname.release);
+ snprintf(tstr, sizeof(tstr), "%s%s", "IRIX", sysname.release);
#elif defined(SOLARIS) || defined(OSF1) || defined(HPUX)
- sprintf(tstr, "%s%s", sysname.sysname, sysname.release);
+ snprintf(tstr, sizeof(tstr), "%s%s", sysname.sysname, sysname.release);
#elif defined(AIX)
- sprintf(tstr, "%s%s.%s", sysname.sysname, sysname.version,
sysname.release);
+ snprintf(tstr, sizeof(tstr), "%s%s.%s", sysname.sysname, sysname.version,
sysname.release);
#endif
+ tstr[sizeof(tstr)-1] = 0;
return tstr;
}
else
@@ -537,6 +553,7 @@
if (!strncasecmp(line, "domain ", 7))
{
sscanf(&line[7], "%s", domain);
+ domain[sizeof(domain)-1] = 0;
dm = (domain[0] == '.' ? &domain[1] : domain);
return dm;
}
@@ -589,7 +606,8 @@
/* Bug 624241 - sprintf() will wipe out target var first on Linux */
char hncopy[SML_BUF];
strcpy(hncopy, hn);
- sprintf(hn, "%s.%s", hncopy, dn.data());
+ snprintf(hn, sizeof(hn), "%s.%s", hncopy, dn.data());
+ hn[sizeof(hn)-1] = 0;
}
/* Return whatever we ended up with. */
@@ -710,7 +728,8 @@
return 0;
}
- sprintf(fn, "/tmp/trychown.%ld", (long) getpid());
+ snprintf(fn, sizeof(fn), "/tmp/trychown.%ld", (long) getpid());
+ fn[sizeof(fn)-1] = 0;
if ((fd = creat(fn, 0777)) == -1)
return 0; /* Hmm. */
ret = chown(fn, pw->pw_uid, pw->pw_gid);
@@ -826,7 +845,8 @@
}
}
- sprintf(fn, "/tmp/trychown_grp.%ld", (long) getpid());
+ snprintf(fn, sizeof(fn), "/tmp/trychown_grp.%ld", (long) getpid());
+ fn[sizeof(fn)-1] = 0;
if ((fd = creat(fn, 0777)) == -1)
{
return 0; /* Hmm. */
@@ -885,11 +905,7 @@
NSString
InstUtil::getSelfUserID()
{
-#if 0
- return cuserid(NULL);
-#else
return getpwuid(geteuid())->pw_name;
-#endif
}
/*********************************************************************
@@ -1066,7 +1082,8 @@
return ("/");
}
- strcpy(s, path);
+ strncpy(s, path, sizeof(s));
+ s[sizeof(s)-1] = 0;
/* Strip off trailing / */
Index: ux-wrapper.cc
===================================================================
RCS file: /cvs/dirsec/setuputil/installer/unix/lib/ux-wrapper.cc,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- ux-wrapper.cc 29 Jul 2005 22:16:33 -0000 1.1.1.1
+++ ux-wrapper.cc 23 Mar 2006 15:59:22 -0000 1.2
@@ -29,6 +29,17 @@
** HISTORY:
**
** $Log$
+** Revision 1.2 2006/03/23 15:59:22 rmeggins
+** Bug(s) fixed: 186280
+** Bug Description: Close potential security vulnerabilities in CGI code
+** Reviewed by: Nathan & Noriko (Thanks!)
+** Fix Description: Mostly cleaned up usage of sprintf.
+** Platforms tested: Fedora Core 5
+** Flag Day: no
+** Doc impact: no
+** QA impact: should be covered by regular nightly and manual testing
+** New Tests integrated into TET: none
+**
** Revision 1.1.1.1 2005/07/29 22:16:33 foxworth
** Importing new setup sdk for open source project
**
@@ -179,12 +190,13 @@
{
return;
}
- sprintf(buf,"[%s] %s", who, level);
+ snprintf(buf, sizeof(buf), "[%s] %s", who, level);
va_start (arg, msg);
- vsprintf(buf+strlen(buf), msg, arg);
+ vsnprintf(buf+strlen(buf), sizeof(buf)-strlen(buf), msg, arg);
va_end(arg);
+ buf[sizeof(buf)-1] = 0;
fputs(buf,fp);
fputs("\n",fp);