FreeBSD-SA-09:05.telnet - fix environment based code execution vulnerability

diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnetd/sys_term.c b/crypto/heimdal-0.6.3/appl/telnet/telnetd/sys_term.c
index 23b2468..3875847 100644 (file)
--- a/crypto/heimdal-0.6.3/appl/telnet/telnetd/sys_term.c
+++ b/crypto/heimdal-0.6.3/appl/telnet/telnetd/sys_term.c
@@ -1237,8 +1237,18 @@ scrub_env(void)
 
     char **cpp, **cpp2;
     const char **p;
+    char ** new_environ;
+    size_t count;
+
+    /* Allocate space for scrubbed environment. */
+    for (count = 1, cpp = environ; *cpp; count++, cpp++)
+       ;
+    if ((new_environ = malloc(count * sizeof(char *))) == NULL) {
+       environ = NULL;
+       return;
+    }
   
-    for (cpp2 = cpp = environ; *cpp; cpp++) {
+    for (cpp2 = new_environ, cpp = environ; *cpp; cpp++) {
        int reject_it = 0;
 
        for(p = reject; *p; p++)
@@ -1252,10 +1262,15 @@ scrub_env(void)
        for(p = accept; *p; p++)
            if(strncmp(*cpp, *p, strlen(*p)) == 0)
                break;
-       if(*p != NULL)
-           *cpp2++ = *cpp;
+       if(*p != NULL) {
+               if ((*cpp2++ = strdup(*cpp)) == NULL) {
+                       environ = new_environ;
+                       return;
+               }
+       }
     }
     *cpp2 = NULL;
+    environ = new_environ;
 }
 
 

diff --git a/crypto/telnet/telnetd/sys_term.c b/crypto/telnet/telnetd/sys_term.c
index 746b81c..7c00588 100644 (file)
--- a/crypto/telnet/telnetd/sys_term.c
+++ b/crypto/telnet/telnetd/sys_term.c
@@ -1281,8 +1281,18 @@ scrub_env(void)
 
        char **cpp, **cpp2;
        const char **p;
- 
-       for (cpp2 = cpp = environ; *cpp; cpp++) {
+       char ** new_environ;
+       size_t count;
+
+       /* Allocate space for scrubbed environment. */
+       for (count = 1, cpp = environ; *cpp; count++, cpp++)
+               continue;
+       if ((new_environ = malloc(count * sizeof(char *))) == NULL) {
+               environ = NULL;
+               return;
+       }
+
+       for (cpp2 = new_environ, cpp = environ; *cpp; cpp++) {
                int reject_it = 0;
 
                for(p = rej; *p; p++)
@@ -1296,10 +1306,15 @@ scrub_env(void)
                for(p = acc; *p; p++)
                        if(strncmp(*cpp, *p, strlen(*p)) == 0)
                                break;
-               if(*p != NULL)
-                       *cpp2++ = *cpp;
+               if(*p != NULL) {
+                       if ((*cpp2++ = strdup(*cpp)) == NULL) {
+                               environ = new_environ;
+                               return;
+                       }
+               }
        }
        *cpp2 = NULL;
+       environ = new_environ;
 }
 
 /*

diff --git a/libexec/telnetd/sys_term.c b/libexec/telnetd/sys_term.c
index 569731b..d52d391 100644 (file)
--- a/libexec/telnetd/sys_term.c
+++ b/libexec/telnetd/sys_term.c
@@ -1138,8 +1138,18 @@ scrub_env(void)
 
        char **cpp, **cpp2;
        const char **p;
- 
-       for (cpp2 = cpp = environ; *cpp; cpp++) {
+       char ** new_environ;
+       size_t count;
+
+       /* Allocate space for scrubbed environment. */
+       for (count = 1, cpp = environ; *cpp; count++, cpp++)
+               continue;
+       if ((new_environ = malloc(count * sizeof(char *))) == NULL) {
+               environ = NULL;
+               return;
+       }
+
+       for (cpp2 = new_environ, cpp = environ; *cpp; cpp++) {
                int reject_it = 0;
 
                for(p = rej; *p; p++)
@@ -1153,10 +1163,15 @@ scrub_env(void)
                for(p = acc; *p; p++)
                        if(strncmp(*cpp, *p, strlen(*p)) == 0)
                                break;
-               if(*p != NULL)
-                       *cpp2++ = *cpp;
+               if(*p != NULL) {
+                       if ((*cpp2++ = strdup(*cpp)) == NULL) {
+                               environ = new_environ;
+                               return;
+                       }
+               }
        }
        *cpp2 = NULL;
+       environ = new_environ;
 }
 
 /*