Bug#338312: osh: Environment Variable Input Validation Bug

Wed, 09 Nov 2005 07:03:25 -0800 

patch attached

-- 
Oohara Yuuma <[EMAIL PROTECTED]>

Lord, what fools these mortals be!
--- William Shakespeare, "A Midsummer-Night's Dream"

diff -u -rN osh-1.7-unmodified/debian/changelog osh-1.7/debian/changelog
--- osh-1.7-unmodified/debian/changelog 2005-11-09 23:34:25.000000000 +0900
+++ osh-1.7/debian/changelog    2005-11-09 23:34:41.000000000 +0900
@@ -1,3 +1,12 @@
+osh (1.7-15) unstable; urgency=high
+
+  * urgency set to high because this version fixes a bug that causes
+    unauthorized privilege escalation (thanks to Charles Stevenson
+    <[EMAIL PROTECTED]> for the bug report)
+  * main.c: don't overwrite the return value of getenv() (closes: #338312)
+
+ -- Oohara Yuuma <[EMAIL PROTECTED]>  Wed,  9 Nov 2005 23:05:52 +0900
+
 osh (1.7-14) unstable; urgency=high
 
   * urgency set to high because this version fixes a buffer overflow
diff -u -rN osh-1.7-unmodified/main.c osh-1.7/main.c
--- osh-1.7-unmodified/main.c   2005-11-09 23:34:25.000000000 +0900
+++ osh-1.7/main.c      2005-11-09 23:34:41.000000000 +0900
@@ -442,31 +442,33 @@
          fprintf(stderr,"Illegal or too long environment variable\n");
          break;
        }
-       if ((env2=getenv(env))==NULL) {
-         char temp[255];
-         char *temp2;
-         
-         strcpy(temp,env);
-         if ((temp2=(char *)strrchr(temp,'/'))!=NULL) {
-           if (temp2!=temp)
-             *temp2='\0';
-           else
-             *(temp2+1)='\0';
-           if ((env2=getenv(temp))!=NULL) {
-             strcat(env2,"/");
-             strcat(env2,temp2+1);
-           }
-         }
-       }       
-       if (env2==NULL) {
-         fprintf(stderr,"Nonexistent environment variable\n");
-         break;
-       }
-       if ((argv[argc]=(char *)malloc(strlen(env2)+1))==NULL) {
-         fprintf(stderr,"Out of arg memory\n");
-         break;
-       }
-       strcpy(argv[argc],env2);
+        {
+          char temp[255];
+          /* temp2+1 is "" which is a valid string */
+         char *temp2 = "\0";
+
+          if ((env2=getenv(env))==NULL) {
+            strcpy(temp,env);
+            if ((temp2=(char *)strrchr(temp,'/'))!=NULL) {
+              if (temp2!=temp)
+                *temp2='\0';
+              else
+                *(temp2+1)='\0';
+              env2=getenv(temp);
+            }
+          }
+          if (env2==NULL) {
+            fprintf(stderr,"Nonexistent environment variable\n");
+            break;
+          }
+          if ((argv[argc]=(char 
*)malloc(strlen(env2)+strlen(temp2+1)+1))==NULL) {
+            fprintf(stderr,"Out of arg memory\n");
+            break;
+          }
+          strcpy(argv[argc],env2);
+          strcpy(argv[argc]+strlen(env2), temp2+1);
+          *(argv[argc]+strlen(env2)+strlen(temp2+1)) = '\0';
+        } /* of temp[] and *temp2 declaration */
        argc++;
        continue;
       case TPIPE:

Reply via email to