Mailing-List: contact securesoftware-help@list.cr.yp.to; run by ezmlm
Delivered-To: mailing list securesoftware@list.cr.yp.to
Received: (qmail 9120 invoked from network); 15 Dec 2004 16:32:47 -0000
Received: from trillian.mit.edu (18.62.1.54)
  by stoneport.math.uic.edu with SMTP; 15 Dec 2004 16:32:47 -0000
To: <securesoftware@list.cr.yp.to>
X-Sent-To: <securesoftware@list.cr.yp.to>
From: John Chambers <jc@trillian.mit.edu>
X-Sent-From: John Chambers <jc@trillian.mit.edu>
Date: Wed, 15 Dec 2004 16:32:24 UTC
Reply-to: John Chambers <jc@trillian.mit.edu>
User-Agent: ~jc/sh/Send.pl
Message-ID: <20041115163224.2688.jc@trillian.mit.edu>
To: securesoftware@list.cr.yp.to
To: <djb@cr.yp.to> (D. J. Bernstein)
Subject: Re: [remote] [control] jcabc2ps switch_voice() overflows t1 buffer
In-Reply-To: <20041215083325.58558.qmail@cr.yp.to>

| Tom Palarz and Limin Wang, two students in my Fall 2004 UNIX Security
| Holes course, have discovered a remotely exploitable security hole in
| jcabc2ps. I'm publishing this notice, but all the discovery credits
| should be assigned to Palarz and Wang.
|
...
|
| Here's the bug: In parse.c, switch_voice() copies any amount of data
| into the 201-byte t1[] array.
|
| ---D. J. Bernstein, Associate Professor, Department of Mathematics,
| Statistics, and Computer Science, University of Illinois at Chicago

Hey, thanks! I've fixed the problem in my copy.  Now I just  have  to
figure  out how to get it back into sourceforge.  (I get cvs's "there
is no version here" error again, which I don't understand.  Something
in cvs has broken since Sep 2, my last checkin, but I have no clue as
to what it's trying to tell me.  ;-)

As you may know, jcabc2ps is one of a nuumber of  clones  of  Michael
Methfessel's original abc2ps. I've looked at the original, and it has
the same problem.  So I'll forward this bug report to the maintainers
of the other clones, which probably all have the same bug.

I've found a number of bugs like this, and I've been fixing them.  In
my  mind,  the  bug  is  partly  due  to quick-and-dirty coding using
fixed-size arrays, and I've  worked  on  making  them  dynamic  while
adding size checking. My quick-and-dirty fix for this bug has been to
add the obvious bounds checks on the two copies into t1 and t2 (which
should  have  the  same  bug).   I'll look into making both t1 and t2
dynamically-sized after I figure  out  how  to  get  the  fixed  code
checked in.