Received: with LISTAR (v1.0.0; list gopher);
 Wed, 17 Jan 2001 14:04:28 -0600 (CST)
Return-Path: <jgoerzen@complete.org>
Delivered-To: gopher@complete.org
Received: from erwin.complete.org (cc695330-a.indnpls1.in.home.com
 [24.8.87.207])
	by pi.glockenspiel.complete.org (Postfix) with ESMTP
	id AC9263B802; Wed, 17 Jan 2001 14:04:27 -0600 (CST)
Received: (from jgoerzen@localhost)
	by erwin.complete.org (8.11.1/8.11.1/Debian 8.11.0-6) id f0HK4If30810;
	Wed, 17 Jan 2001 15:04:18 -0500
X-Authentication-Warning: erwin.complete.org: jgoerzen set sender to
 jgoerzen@complete.org using -f
To: gopher@complete.org
Cc: 82602@bugs.debian.org
Subject: [gopher] Re: Fwd: Bug#82602: gopherd: [SECURITY] gopherd is dangerous
References: <20010116231004.A19307@vitelus.com> <87g0ii16o2.fsf@complete.org>
	<20010117114104.A26007@vitelus.com>
From: John Goerzen <jgoerzen@complete.org>
Date: 17 Jan 2001 15:04:18 -0500
In-Reply-To: <20010117114104.A26007@vitelus.com>
Message-ID: <874ryyymgt.fsf@complete.org>
Lines: 166
User-Agent: Gnus/5.090001 (Oort Gnus v0.01) XEmacs/21.1 (Channel Islands)
MIME-Version: 1.0
Content-type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
X-archive-position: 118
X-listar-version: Listar v1.0.0
Sender: gopher-bounce@complete.org
Errors-to: gopher-bounce@complete.org
X-original-sender: jgoerzen@complete.org
Precedence: bulk
Reply-to: gopher@complete.org
X-list: gopher


Aaron Lehmann <aaronl@vitelus.com> writes:

> On Wed, Jan 17, 2001 at 11:31:57AM -0500, John Goerzen wrote:
> > 
> > severity 82602 normal
> Execpt for the fact that gopher is not in wide use, I think the
> severity "critical" would not be far off-track. See my comments below.

The reason I did that was because there was no specific problem
reported.  A bug of "you suck" may be a bug but it's not critical :-)

When I found the specific lines of code you were talking about, I
fixed it, hence the later setting of it to "fixed".  If I had not
fixed them, I would have set it back to critical.

> > and that size is less than or equal to the location it is going, there
> > is no problem.  Therefore, the grep is meaningless.
> The grep is only meaningful as information on the diffuculty of
> auditing the codebase. It is meaningless in terms of whether gopher
> has bugs and/or security holes or not.

Agreed.

> As far as providing line numbers goes, I considered it but decided
> against it since I was looking in the CVS branch which tends to
> change. If you want to look at the context of any of the examples I
> provided, it is quite trivial to grep for a line I have quoted.

Which I did.  Fortunately all of them were obscure :-)  Had you pasted
a line that occurs multiple times, it could have been more difficult.
I was just replying to the report on the face of it, to get an initial
analysis out quickly.  As you can see, when things like this happen, I
keep people up-to-date with progress even as circumstances and
analyses change.

> I think auditing and fixing this code-base would not be easy. If you
> want to do it, the first thing you should decide on is a strategy for
> handling strings. The current strategy is to allocate just about all
> strings including pathnames, titles, menu entries, etc. as fixed-size
> 256-byte strings, and ignoring any possible buffer overflows. If
> you're going to revamp the code base in order to remove the buffer
> overflows, you might as well remove the silly and wasteful 256-char
> limit. However, the alternative scheme is not obvious. Should all
> variable-length strings be malloc'd? Who should have the
> responsibility of freeing them? etc.

The current strategy works and makes it pretty easy to add things like
snprintf's because sizeof() works in about 90% of the cases I've
seen.  I think we can continue along that route for now, adding 'n'
calls wherever possible.

-- John


> 
> > Aaron Lehmann <aaronl@vitelus.com> writes:
> > 
> > > From: aaronl@vitelus.com
> > > Subject: Bug#82602: gopherd: [SECURITY] gopherd is dangerous
> > > To: submit@bugs.debian.org
> > > Date: Tue, 16 Jan 2001 22:57:23 -0800
> > > 
> > > Package: gopherd
> > > Version: 2.3.1-8
> > > Severity: grave
> > > 
> > > 
> > > First off:
> > > 
> > > $ egrep -r '(sprintf|strcpy|strcat)' * | wc -l
> > >     539
> > > 
> > > *shudder*
> > > 
> > > 
> > > Here are a few particular cases of fixed-size buffers that I think may
> > > currently be security risks:
> > > 
> > >      char buf[256];
> > > ...
> > >       if (dochroot)
> > >            sprintf(buf, "%s '%s'", decoder, pathname);
> > >       else
> > >            sprintf(buf, "%s '%s/%s'", decoder, Data_Dir, pathname);
> > > 
> > > As far as I can tell, neither decoder nor pathname is regulated in
> > > size at all.
> > > 
> > > Here's another favorite:
> > >      char         longname[256];
> > > ...
> > >            sprintf( longname, "%s  [%s%s%s, %ukb]", stitle,
> > >               cdate+8,cdate+4,cdate+22, (statbuf.st_size+1023) / 1024);
> > > 
> > > Even if the length of stitle was regulated (which I doubt), it would
> > > most likely be regulated to 256 bytes, which would be just as
> > > disasterous.
> > > 
> > > Oh, and you had better hope that the path to your Data_Dir is < 256 chars:
> > >      char tmpstr[256];
> > > ...
> > >             strcpy(tmpstr, Data_Dir);
> > > 
> > > Data_Dir is _not_ regulated in size:
> > >       Data_Dir = strdup(argv[optind]);
> > > ...
> > >       Data_Dir = strdup(DATA_DIRECTORY);
> > > 
> > > How about this:
> > > 
> > >      if ((titlep = strcasestr(buf, "<TITLE>")) != NULL) {
> > >       char *endtitle;
> > >       char titletemp[256];
> > > 
> > >       titlep += 7;
> > >       if ((endtitle = strcasestr(titlep, "</TITLE>")) != NULL) {
> > >            strncpy(titletemp, titlep, (endtitle-titlep));
> > >            titletemp[endtitle-titlep] = '\0';
> > > 
> > > So, list a directory containing a .html document with a title > 256
> > > chars and you're likely to smash the stack.
> > > 
> > > I could go on and on. My reccomendation to the gopherd maintainer is
> > > to throw out all of this code and write a more modern, secure
> > > implentation from scratch. This is the worst C code I have ever read.
> > > 
> > > 
> > > --  
> > > To UNSUBSCRIBE, email to debian-bugs-dist-request@lists.debian.org
> > > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> > > 
> > > 
> > > 
> > > ----------
> > > 
> > > 
> > > -- Attached file included as plaintext by Listar --
> > > 
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.0.4 (GNU/Linux)
> > > Comment: For info see http://www.gnupg.org
> > > 
> > > iD8DBQE6ZUVMdtqQf66JWJkRAkfcAKC+DYo7IlV/uMhb9TiNFMehmoqDhQCfWdSG
> > > D5NRK+qja4sbChxnEeh4m10=
> > > =+VYC
> > > -----END PGP SIGNATURE-----
> > > 
> > > 
> > > 
> > > 
> > 
> > -- 
> > John Goerzen <jgoerzen@complete.org>                       www.complete.org
> > Sr. Software Developer, Progeny Linux Systems, Inc.    www.progenylinux.com
> > #include <std_disclaimer.h>                     <jgoerzen@progenylinux.com>
> > 
> > 
> > 
> 
> 
> 

-- 
John Goerzen <jgoerzen@complete.org>                       www.complete.org
Sr. Software Developer, Progeny Linux Systems, Inc.    www.progenylinux.com
#include <std_disclaimer.h>                     <jgoerzen@progenylinux.com>