Earlier today I whined on IRC about these vulnerability databases that don’t even bother with linking the patch.
Well, now that the changes are in all three tagged BSDs, I decided to take a look at it anyway (frustrating, I really have to dig for patches? this is how code gets reviewed?). It looks like they all got it wrong. Free & Open accidentally increment a remaining space counter and NetBSD happily stores a NUL byte after the buffer if it’s full.
This is the kind of a function that should immediately look suspicious. If anyone ever looked. obuf has a magic size, and there are no bounds checking. How do you know the size is right? You need to dig elsewhere to find out if it is.
Thankfully it’s a low severity vulnerability in practice.
The vulnerable code was introduced a minimum of 26 years ago.
Earlier today I whined on IRC about these vulnerability databases that don’t even bother with linking the patch.
Well, now that the changes are in all three tagged BSDs, I decided to take a look at it anyway (frustrating, I really have to dig for patches? this is how code gets reviewed?). It looks like they all got it wrong. Free & Open accidentally increment a remaining space counter and NetBSD happily stores a NUL byte after the buffer if it’s full.
This is the kind of a function that should immediately look suspicious. If anyone ever looked. obuf has a magic size, and there are no bounds checking. How do you know the size is right? You need to dig elsewhere to find out if it is.
Thankfully it’s a low severity vulnerability in practice.
@tedu has an interesting blog on it here
Note: I’m not sure if OpenBSD and NetBSD are vulnerable.
Confirmed: OpenBSD and NetBSD are both vulnerable.