[mingetty/f13/master] Limit length of TTY name

Petr Pisar ppisar at fedoraproject.org
Tue Oct 26 16:35:42 UTC 2010 

commit 3d36fc53115001b03de879b11db2cf21cc047020
Author: Petr Písař <ppisar at redhat.com>
Date:   Tue Oct 26 17:33:50 2010 +0200

    Limit length of TTY name
    
    Internal buffer is 40 bytes long. Longer TTY name provided as argument could
    cause buffer overflow.

 mingetty-1.08-limit_tty_length.patch |   22 ++++++++++++++++++++++
 mingetty.spec                        |    4 ++++
 2 files changed, 26 insertions(+), 0 deletions(-)
---
diff --git a/mingetty-1.08-limit_tty_length.patch b/mingetty-1.08-limit_tty_length.patch
new file mode 100644
index 0000000..b477f4c
--- /dev/null
+++ b/mingetty-1.08-limit_tty_length.patch
@@ -0,0 +1,22 @@
+Limit TTY name to size of `buf' buffer
+
+Patch from <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=221841>.
+--- a/mingetty.c
++++ b/mingetty.c
+@@ -138,11 +138,12 @@
+ 	int fd;
+ 
+ 	/* Set up new standard input. */
+-	if (tty[0] == '/')
+-		strcpy (buf, tty);
+-	else {
++	if (tty[0] == '/') {
++		strncpy (buf, tty, sizeof(buf)-1);
++		buf[sizeof(buf)-1] = '\0';
++	} else {
+ 		strcpy (buf, "/dev/");
+-		strcat (buf, tty);
++		strncat (buf, tty, sizeof(buf)-strlen(buf)-1);
+ 	}
+ 	/* There is always a race between this reset and the call to
+ 	   vhangup() that s.o. can use to get access to your tty. */
diff --git a/mingetty.spec b/mingetty.spec
index 222e505..d21e4c5 100644
--- a/mingetty.spec
+++ b/mingetty.spec
@@ -11,6 +11,8 @@ Patch0: mingetty-1.00-opt.patch
 # Bug #635412
 Patch1: mingetty-1.08-check_chroot_chdir_nice.patch
 Patch2: mingetty-1.08-openlog_authpriv.patch
+# Bug #551754
+Patch3: mingetty-1.08-limit_tty_length.patch
 
 %description
 The mingetty program is a lightweight, minimalist getty program for
@@ -22,6 +24,7 @@ lines (you should use the mgetty program in that case).
 %patch0 -p1 -b .opt
 %patch1 -p1 -b .chroot
 %patch2 -p1 -b .openlog
+%patch3 -p1 -b .tty_length
 
 %build
 make "RPM_OPTS=$RPM_OPT_FLAGS"
@@ -46,6 +49,7 @@ rm -rf $RPM_BUILD_ROOT
 * Tue Oct 26 2010 Petr Pisar <ppisar at redhat.com> - 1.08-5
 - Check chroot(), chdir(), and nice() (bug #635412)
 - Open syslog with AUTPRIV facility
+- Limit TTY name length to prevent buffer overflow (bug #551754)
 
 * Sat Jul 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.08-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

More information about the scm-commits mailing list