From: Matthew Dillon <dillon@apollo.backplane.com>
Date: Thu, 23 Apr 2009 00:57:21 +0000 (-0700)
Subject: FreeBSD-SA-09:05.telnet - fix environment based code execution vulnerability
X-Git-Tag: v2.3.1~74
X-Git-Url: http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff_plain/3628c2aa6c358f165bee4cb3fedb6c3c21062384

FreeBSD-SA-09:05.telnet - fix environment based code execution vulnerability
---

diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnetd/sys_term.c b/crypto/heimdal-0.6.3/appl/telnet/telnetd/sys_term.c
index 23b2468..3875847 100644
--- a/crypto/heimdal-0.6.3/appl/telnet/telnetd/sys_term.c
+++ b/crypto/heimdal-0.6.3/appl/telnet/telnetd/sys_term.c
@@ -1237,8 +1237,18 @@ scrub_env(void)
 
     char **cpp, **cpp2;
     const char **p;
+    char ** new_environ;
+    size_t count;
+
+    /* Allocate space for scrubbed environment. */
+    for (count = 1, cpp = environ; *cpp; count++, cpp++)
+	;
+    if ((new_environ = malloc(count * sizeof(char *))) == NULL) {
+	environ = NULL;
+	return;
+    }
   
-    for (cpp2 = cpp = environ; *cpp; cpp++) {
+    for (cpp2 = new_environ, cpp = environ; *cpp; cpp++) {
 	int reject_it = 0;
 
 	for(p = reject; *p; p++)
@@ -1252,10 +1262,15 @@ scrub_env(void)
 	for(p = accept; *p; p++)
 	    if(strncmp(*cpp, *p, strlen(*p)) == 0)
 		break;
-	if(*p != NULL)
-	    *cpp2++ = *cpp;
+	if(*p != NULL) {
+		if ((*cpp2++ = strdup(*cpp)) == NULL) {
+			environ = new_environ;
+			return;
+		}
+	}
     }
     *cpp2 = NULL;
+    environ = new_environ;
 }
 
 
diff --git a/crypto/telnet/telnetd/sys_term.c b/crypto/telnet/telnetd/sys_term.c
index 746b81c..7c00588 100644
--- a/crypto/telnet/telnetd/sys_term.c
+++ b/crypto/telnet/telnetd/sys_term.c
@@ -1281,8 +1281,18 @@ scrub_env(void)
 
 	char **cpp, **cpp2;
 	const char **p;
- 
- 	for (cpp2 = cpp = environ; *cpp; cpp++) {
+	char ** new_environ;
+	size_t count;
+
+	/* Allocate space for scrubbed environment. */
+	for (count = 1, cpp = environ; *cpp; count++, cpp++)
+		continue;
+	if ((new_environ = malloc(count * sizeof(char *))) == NULL) {
+		environ = NULL;
+		return;
+	}
+
+	for (cpp2 = new_environ, cpp = environ; *cpp; cpp++) {
 		int reject_it = 0;
 
 		for(p = rej; *p; p++)
@@ -1296,10 +1306,15 @@ scrub_env(void)
 		for(p = acc; *p; p++)
 			if(strncmp(*cpp, *p, strlen(*p)) == 0)
 				break;
-		if(*p != NULL)
- 			*cpp2++ = *cpp;
+		if(*p != NULL) {
+			if ((*cpp2++ = strdup(*cpp)) == NULL) {
+				environ = new_environ;
+				return;
+			}
+		}
  	}
 	*cpp2 = NULL;
+	environ = new_environ;
 }
 
 /*
diff --git a/libexec/telnetd/sys_term.c b/libexec/telnetd/sys_term.c
index 569731b..d52d391 100644
--- a/libexec/telnetd/sys_term.c
+++ b/libexec/telnetd/sys_term.c
@@ -1138,8 +1138,18 @@ scrub_env(void)
 
 	char **cpp, **cpp2;
 	const char **p;
- 
- 	for (cpp2 = cpp = environ; *cpp; cpp++) {
+	char ** new_environ;
+	size_t count;
+
+	/* Allocate space for scrubbed environment. */
+	for (count = 1, cpp = environ; *cpp; count++, cpp++)
+		continue;
+	if ((new_environ = malloc(count * sizeof(char *))) == NULL) {
+		environ = NULL;
+		return;
+	}
+
+	for (cpp2 = new_environ, cpp = environ; *cpp; cpp++) {
 		int reject_it = 0;
 
 		for(p = rej; *p; p++)
@@ -1153,10 +1163,15 @@ scrub_env(void)
 		for(p = acc; *p; p++)
 			if(strncmp(*cpp, *p, strlen(*p)) == 0)
 				break;
-		if(*p != NULL)
- 			*cpp2++ = *cpp;
+		if(*p != NULL) {
+			if ((*cpp2++ = strdup(*cpp)) == NULL) {
+				environ = new_environ;
+				return;
+			}
+		}
  	}
 	*cpp2 = NULL;
+	environ = new_environ;
 }
 
 /*