[OpenAFS] Buffer overflow on Mac OS X 10.9.2 Mavericks

D Brashear shadow@gmail.com
Mon, 21 Apr 2014 12:29:37 -0400


--089e011769d1630e3004f79001e4
Content-Type: text/plain; charset=UTF-8

data off the wire never makes it there, so there should be no privilege
escalation. you may be able to crash something you ran yourself.

we'll check it out, though. still not good, just not likely to have
security implications.

and the krb5 options changes in configure. that page needs a refresh


On Mon, Apr 21, 2014 at 11:12 AM, Frederick Luehring
<luehring@indiana.edu>wrote:

> Hi Everyone,
>
>     Since there has been certain amount of excitement about the
> consequences
> of buffer overflows in recent days, I would like to point a possible
> problem I
> discovered when following the instructions to compile open afs on Mac OS
> X. I
> guess you know of this but just in case, if follow the instructions at:
>
> http://www.openafs.org/macos.html
>
> it sets the enable-checking flag which almost immediately finds:
>
> gcc  -Os -I/Users/luehring/openafs-1.6.6/src/config
> -I/Users/luehring/openafs-1.6.6/include -I. -I.   -Os -Wall
> -Wstrict-prototypes -Wold-style-definition -Wpointer-arith -Wall
> -Wstrict-prototypes -Wold-style-definition -Werror
> -fdiagnostics-show-option
> -Wpointer-arith -arch i386 -arch x86_64  -c cmd.c
> cmd.c:46:30: error: the value of the size argument in 'strncat' is too
> large,
> might lead to a buffer overflow [-Werror,-Wstrncat-size]
>         strncat(tbuffer, a2, sizeof(tbuffer));
>                              ^~~~~~~~~~~~~~~
> cmd.c:46:30: note: change the argument to be the free space in the
> destination
> buffer minus the terminating null byte
>         strncat(tbuffer, a2, sizeof(tbuffer));
>                              ^~~~~~~~~~~~~~~
>                              sizeof(tbuffer) - strlen(tbuffer) - 1
> 1 error generated.
> make[3]: *** [cmd.o] Error 1
> make[2]: *** [cmd] Error 2
> make[1]: *** [build] Error 2
> make: *** [all] Error 2
>
> Those instructions also set "--with-krb5-conf=/usr/bin/krb5-config" which
> seems to be unrecognized. I guess this is because kerberos version 4 is
> completely dead and the flag is no longer needed.
>
> Fred
> --
> Fred Luehring Indiana U. HEP mailto:luehring@indiana.edu  +1 812 855 1025IU
> http://cern.ch/Fred.Luehring mailto:Fred.Luehring@cern.ch +41 22 767 1166CERN
> http://cern.ch/Fred.Luehring/Luehring_pub.asc             +1 812 391 0225GSM
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>


-- 
D

--089e011769d1630e3004f79001e4
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>data off the wire never makes it there, so there=
 should be no privilege escalation. you may be able to crash something you =
ran yourself.<br><br></div>we&#39;ll check it out, though. still not good, =
just not likely to have security implications.<br>
<br></div>and the krb5 options changes in configure. that page needs a refr=
esh<br></div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">=
On Mon, Apr 21, 2014 at 11:12 AM, Frederick Luehring <span dir=3D"ltr">&lt;=
<a href=3D"mailto:luehring@indiana.edu" target=3D"_blank">luehring@indiana.=
edu</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">Hi Everyone,<br>
<br>
=C2=A0 =C2=A0 Since there has been certain amount of excitement about the c=
onsequences<br>
of buffer overflows in recent days, I would like to point a possible proble=
m I<br>
discovered when following the instructions to compile open afs on Mac OS X.=
 I<br>
guess you know of this but just in case, if follow the instructions at:<br>
<br>
<a href=3D"http://www.openafs.org/macos.html" target=3D"_blank">http://www.=
openafs.org/macos.html</a><br>
<br>
it sets the enable-checking flag which almost immediately finds:<br>
<br>
gcc =C2=A0-Os -I/Users/luehring/openafs-1.6.6/src/config<br>
-I/Users/luehring/openafs-1.6.6/include -I. -I. =C2=A0 -Os -Wall<br>
-Wstrict-prototypes -Wold-style-definition -Wpointer-arith -Wall<br>
-Wstrict-prototypes -Wold-style-definition -Werror -fdiagnostics-show-optio=
n<br>
-Wpointer-arith -arch i386 -arch x86_64 =C2=A0-c cmd.c<br>
cmd.c:46:30: error: the value of the size argument in &#39;strncat&#39; is =
too large,<br>
might lead to a buffer overflow [-Werror,-Wstrncat-size]<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 strncat(tbuffer, a2, sizeof(tbuffer));<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0^~~~~~~~~~~~~~~<br>
cmd.c:46:30: note: change the argument to be the free space in the destinat=
ion<br>
buffer minus the terminating null byte<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 strncat(tbuffer, a2, sizeof(tbuffer));<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0^~~~~~~~~~~~~~~<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0sizeof(tbuffer) - strlen(tbuffer) - 1<br>
1 error generated.<br>
make[3]: *** [cmd.o] Error 1<br>
make[2]: *** [cmd] Error 2<br>
make[1]: *** [build] Error 2<br>
make: *** [all] Error 2<br>
<br>
Those instructions also set &quot;--with-krb5-conf=3D/usr/bin/krb5-config&q=
uot; which<br>
seems to be unrecognized. I guess this is because kerberos version 4 is<br>
completely dead and the flag is no longer needed.<br>
<br>
Fred<br>
<span class=3D"HOEnZb"><font color=3D"#888888">--<br>
Fred Luehring Indiana U. HEP mailto:<a href=3D"mailto:luehring@indiana.edu"=
>luehring@indiana.edu</a> =C2=A0<a href=3D"tel:%2B1%20812%20855%201025" val=
ue=3D"+18128551025">+1 812 855 1025</a> IU<br>
<a href=3D"http://cern.ch/Fred.Luehring" target=3D"_blank">http://cern.ch/F=
red.Luehring</a> mailto:<a href=3D"mailto:Fred.Luehring@cern.ch">Fred.Luehr=
ing@cern.ch</a> <a href=3D"tel:%2B41%2022%20767%201166" value=3D"+412276711=
66">+41 22 767 1166</a> CERN<br>

<a href=3D"http://cern.ch/Fred.Luehring/Luehring_pub.asc" target=3D"_blank"=
>http://cern.ch/Fred.Luehring/Luehring_pub.asc</a> =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 <a href=3D"tel:%2B1%20812%20391%200225" value=3D"+1812391=
0225">+1 812 391 0225</a> GSM<br>

_______________________________________________<br>
OpenAFS-info mailing list<br>
<a href=3D"mailto:OpenAFS-info@openafs.org">OpenAFS-info@openafs.org</a><br=
>
<a href=3D"https://lists.openafs.org/mailman/listinfo/openafs-info" target=
=3D"_blank">https://lists.openafs.org/mailman/listinfo/openafs-info</a><br>
<br>
</font></span></blockquote></div><br><br clear=3D"all"><br>-- <br><div dir=
=3D"ltr">D</div>
</div>

--089e011769d1630e3004f79001e4--