forked from pool/audit
30 lines
871 B
Diff
30 lines
871 B
Diff
|
From: tonyj@suse.de
|
||
|
Subject: VUL-0: audit buffer overflow
|
||
|
References: BNC# 378725
|
||
|
Upstream: auditd 1.7.2
|
||
|
|
||
|
Bugtraq ID: 28524 Linux Audit Daemon 'audit_log_user_command()' Local Buffer
|
||
|
Overflow Vulnerability.
|
||
|
|
||
|
This problem was found in Fedora when sudo was modified to call
|
||
|
audit_log_user_command.
|
||
|
|
||
|
Fix backported from auditd v1.7.2
|
||
|
|
||
|
diff -urp audit-1.6.5.orig/lib/audit_logging.c audit-1.6.5/lib/audit_logging.c
|
||
|
--- audit-1.6.5.orig/lib/audit_logging.c 2008-04-01 16:33:34.000000000 -0400
|
||
|
+++ audit-1.6.5/lib/audit_logging.c 2008-04-01 16:34:12.000000000 -0400
|
||
|
@@ -652,7 +652,11 @@ int audit_log_user_command(int audit_fd,
|
||
|
}
|
||
|
|
||
|
p = cmd;
|
||
|
- strcpy(commname, cmd);
|
||
|
+ if (len >= PATH_MAX) {
|
||
|
+ cmd[PATH_MAX] = 0;
|
||
|
+ len = PATH_MAX-1;
|
||
|
+ }
|
||
|
+ strcpy(commname,cmd);
|
||
|
while (*p) {
|
||
|
if (*p == '"' || *p < 0x21 || (unsigned)*p > 0x7f) {
|
||
|
_audit_c2x(commname, cmd, len);
|