From 3628c2aa6c358f165bee4cb3fedb6c3c21062384 Mon Sep 17 00:00:00 2001 From: Matthew Dillon Date: Wed, 22 Apr 2009 17:57:21 -0700 Subject: [PATCH] FreeBSD-SA-09:05.telnet - fix environment based code execution vulnerability --- .../heimdal-0.6.3/appl/telnet/telnetd/sys_term.c | 21 +++++++++++++++-- crypto/telnet/telnetd/sys_term.c | 23 ++++++++++++++++--- libexec/telnetd/sys_term.c | 23 ++++++++++++++++--- 3 files changed, 56 insertions(+), 11 deletions(-) diff --git a/crypto/heimdal-0.6.3/appl/telnet/telnetd/sys_term.c b/crypto/heimdal-0.6.3/appl/telnet/telnetd/sys_term.c index 23b2468..3875847 100644 --- a/crypto/heimdal-0.6.3/appl/telnet/telnetd/sys_term.c +++ b/crypto/heimdal-0.6.3/appl/telnet/telnetd/sys_term.c @@ -1237,8 +1237,18 @@ scrub_env(void) char **cpp, **cpp2; const char **p; + char ** new_environ; + size_t count; + + /* Allocate space for scrubbed environment. */ + for (count = 1, cpp = environ; *cpp; count++, cpp++) + ; + if ((new_environ = malloc(count * sizeof(char *))) == NULL) { + environ = NULL; + return; + } - for (cpp2 = cpp = environ; *cpp; cpp++) { + for (cpp2 = new_environ, cpp = environ; *cpp; cpp++) { int reject_it = 0; for(p = reject; *p; p++) @@ -1252,10 +1262,15 @@ scrub_env(void) for(p = accept; *p; p++) if(strncmp(*cpp, *p, strlen(*p)) == 0) break; - if(*p != NULL) - *cpp2++ = *cpp; + if(*p != NULL) { + if ((*cpp2++ = strdup(*cpp)) == NULL) { + environ = new_environ; + return; + } + } } *cpp2 = NULL; + environ = new_environ; } diff --git a/crypto/telnet/telnetd/sys_term.c b/crypto/telnet/telnetd/sys_term.c index 746b81c..7c00588 100644 --- a/crypto/telnet/telnetd/sys_term.c +++ b/crypto/telnet/telnetd/sys_term.c @@ -1281,8 +1281,18 @@ scrub_env(void) char **cpp, **cpp2; const char **p; - - for (cpp2 = cpp = environ; *cpp; cpp++) { + char ** new_environ; + size_t count; + + /* Allocate space for scrubbed environment. */ + for (count = 1, cpp = environ; *cpp; count++, cpp++) + continue; + if ((new_environ = malloc(count * sizeof(char *))) == NULL) { + environ = NULL; + return; + } + + for (cpp2 = new_environ, cpp = environ; *cpp; cpp++) { int reject_it = 0; for(p = rej; *p; p++) @@ -1296,10 +1306,15 @@ scrub_env(void) for(p = acc; *p; p++) if(strncmp(*cpp, *p, strlen(*p)) == 0) break; - if(*p != NULL) - *cpp2++ = *cpp; + if(*p != NULL) { + if ((*cpp2++ = strdup(*cpp)) == NULL) { + environ = new_environ; + return; + } + } } *cpp2 = NULL; + environ = new_environ; } /* diff --git a/libexec/telnetd/sys_term.c b/libexec/telnetd/sys_term.c index 569731b..d52d391 100644 --- a/libexec/telnetd/sys_term.c +++ b/libexec/telnetd/sys_term.c @@ -1138,8 +1138,18 @@ scrub_env(void) char **cpp, **cpp2; const char **p; - - for (cpp2 = cpp = environ; *cpp; cpp++) { + char ** new_environ; + size_t count; + + /* Allocate space for scrubbed environment. */ + for (count = 1, cpp = environ; *cpp; count++, cpp++) + continue; + if ((new_environ = malloc(count * sizeof(char *))) == NULL) { + environ = NULL; + return; + } + + for (cpp2 = new_environ, cpp = environ; *cpp; cpp++) { int reject_it = 0; for(p = rej; *p; p++) @@ -1153,10 +1163,15 @@ scrub_env(void) for(p = acc; *p; p++) if(strncmp(*cpp, *p, strlen(*p)) == 0) break; - if(*p != NULL) - *cpp2++ = *cpp; + if(*p != NULL) { + if ((*cpp2++ = strdup(*cpp)) == NULL) { + environ = new_environ; + return; + } + } } *cpp2 = NULL; + environ = new_environ; } /* -- 1.7.7.2