Handling security issues?

Thierry Reding thierry at doppeltgemoppelt.de
Thu Feb 9 07:41:24 UTC 2006


* Steve Kemp wrote:
[...]
> void SchreibeKonfiguration(){
>   FILE *f;
> #ifndef _WIN32
>   char dateiname[40];
>   sprintf(dateiname,"%s/.BillardGL.conf.v7",getenv("HOME"));
>   f=fopen(dateiname,"w+");
> #endif
>   ...
>   ...
> }
> 
> void LeseKonfiguration(){
>   FILE *f;
> #ifndef _WIN32
>   char dateiname[40];
>   sprintf(dateiname,"%s/.BillardGL.conf.v7",getenv("HOME"));
>   f=fopen(dateiname,"r");
>   ...
>   ...
> }
> 
>   Both of these sections of code contain the same flaw.   The copying
>  of the contents of the environmental variable 'HOME' into a fixed
>  size buffer "dateiname", without testing for overflows.
> 
>   The code could be fixed by using this instead:
> 
>   memset(dateiname,'\0',sizeof(dateiname));
>   snprintf(dateiname,sizeof(dateiname)-1,"%s/.BillardGL.conf.v7",getenv("HOME"));

Sorry for taking the fun out of the practice, but those security issues have
already been fixed in `debian/patches/03_config_buffer_overflows.dpatch'.

Maybe this is another good argument against using a patch system for packages
already in SVN. The same thing actually happened to me once as well while
testing a build using plain `make'. Since this didn't apply any patches from
the `debian/patches' directory, I was left clueless for a couple of minutes
as to why things were going wrong compared to building with dpkg-buildpackage.

Thierry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20060209/37f7a829/attachment.pgp


More information about the Pkg-games-devel mailing list