Package: bwbasic
Version: 2.20pl2-8
Severity: normal
Tags: patch
The handling of environmental variables in the basic intepretter
doesn't test the length of variables before copying them into a
fixed size buffer.
Since the code is not setuid/setgid this isn't a security problem,
just a matter of robustness.
The file bwb_fnc.c contains this:
/*--------------------------------------------------------------------*/
/* Added check for getenv return value to prevent segmentation faults */
/* JBV 3/15/96 */
/*--------------------------------------------------------------------*/
if (getenv( tbuf ) != NULL) strcpy( tmp, getenv( tbuf ));
else strcpy( tmp, "" );
Here the strcpy is unbound.
The following is better:
if (getenv( tbuf ) != NULL) strncpy( tmp, getenv( tbuf ), sizeof(tmp)-1);
Steve
--
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.18-xen (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
