Binary files virus-0.0.5/.DS_Store and virus-0.0.6/.DS_Store differ diff -ruN virus-0.0.5/COMPILES virus-0.0.6/COMPILES --- virus-0.0.5/COMPILES Sat Dec 28 08:52:53 2002 +++ virus-0.0.6/COMPILES Mon Sep 8 13:06:47 2003 @@ -8,4 +8,4 @@ ROCK Linux 1.6.0-CVS Linux-2.4.20 glibc-2.2.5 sparc, sparc64 Solaris 2.6, 7.0, 8.0, 9.0 sparc, sparc64 Solaris 2.6, 7.0, 8.0, 9.0-pre ia32 -Mac OS X 10.1.5, 10.2 powerpc +Mac OS X 10.1.5, 10.2, 10.2.6 powerpc diff -ruN virus-0.0.5/CREDITS virus-0.0.6/CREDITS --- virus-0.0.5/CREDITS Thu Jan 1 01:00:00 1970 +++ virus-0.0.6/CREDITS Mon Sep 8 13:13:40 2003 @@ -0,0 +1 @@ +2003/09/08 -- henning brauer (henning@openbsd) for help and patience with strlcpy diff -ruN virus-0.0.5/ChangeLog virus-0.0.6/ChangeLog --- virus-0.0.5/ChangeLog Mon Jan 6 01:37:50 2003 +++ virus-0.0.6/ChangeLog Mon Sep 8 13:46:54 2003 @@ -22,3 +22,11 @@ found possible problem with editing multiple files with CRASHME binary tested compile works on above platforms +virus-0.0.5 to virus-0.0.6 ( 2003/01/06 -- 2003/09/08 ) + improved one strlcpy call in colon() and + fixed one strlcpy call buffer overflow - both thanks to henning@openbsd + fixed some compiler warnings about pointer targets in assignment differ signedness + postponed feature-changes for later release + tested compile works on above mentioned platforms. + + diff -ruN virus-0.0.5/Makefile virus-0.0.6/Makefile --- virus-0.0.5/Makefile Mon Jan 6 01:27:18 2003 +++ virus-0.0.6/Makefile Mon Sep 8 13:08:35 2003 @@ -4,7 +4,7 @@ ## ## Virus stuff -VIRUS_VERSION := "0.0.5" +VIRUS_VERSION := "0.0.6" VIRUS_MAKE_BANNER := "xx VI Resembling Utility Skeleton - Version $(VIRUS_VERSION)" ## Option Switches diff -ruN virus-0.0.5/TODO/strc.kill-list virus-0.0.6/TODO/strc.kill-list --- virus-0.0.5/TODO/strc.kill-list Sun Jan 5 22:53:11 2003 +++ virus-0.0.6/TODO/strc.kill-list Thu Jan 1 01:00:00 1970 @@ -1,12 +0,0 @@ -virus.c:692:(Very Risky) strcat -virus.c:696:(Very Risky) strcat -virus.c:699:(Very Risky) strcat -virus.c:3007:(Very Risky) strcat -virus.c:3015:(Very Risky) strcat -virus.c:3017:(Very Risky) strcat -virus.c:3621:(Very Risky) strcat -virus.c:3626:(Very Risky) strcat -virus.c:3739:(Very Risky) strcat -virus.c:1762:(Very Risky) strcpy -virus.c:3440:(Very Risky) strcpy -virus.c:3736:(Very Risky) strcpy diff -ruN virus-0.0.5/TODO/virus.c.its4 virus-0.0.6/TODO/virus.c.its4 --- virus-0.0.5/TODO/virus.c.its4 Mon Feb 11 04:57:26 2002 +++ virus-0.0.6/TODO/virus.c.its4 Mon Sep 8 14:42:10 2003 @@ -1,90 +1,82 @@ -virus.c:2026:(Urgent) printf -virus.c:2029:(Urgent) printf -virus.c:2030:(Urgent) printf -virus.c:2032:(Urgent) printf -virus.c:2033:(Urgent) printf -virus.c:2035:(Urgent) printf -virus.c:2036:(Urgent) printf -virus.c:2038:(Urgent) printf -virus.c:2039:(Urgent) printf -virus.c:2040:(Urgent) printf -virus.c:2042:(Urgent) printf +virus.c:1815:(Urgent) system +Easy to run arbitrary commands through env vars. Also, potential TOCTOU +problems. +Use fork + execve instead. +---------------- +virus.c:2044:(Urgent) printf +virus.c:2047:(Urgent) printf +virus.c:2048:(Urgent) printf +virus.c:2050:(Urgent) printf +virus.c:2051:(Urgent) printf +virus.c:2053:(Urgent) printf +virus.c:2054:(Urgent) printf +virus.c:2056:(Urgent) printf +virus.c:2057:(Urgent) printf +virus.c:2058:(Urgent) printf +virus.c:2060:(Urgent) printf Non-constant format strings can often be attacked. Use a constant format string. ---------------- -virus.c:3609:(Urgent) sprintf +virus.c:2983:(Urgent) fprintf +virus.c:3445:(Urgent) fprintf Non-constant format strings can often be attacked. Use a constant format string. ---------------- -virus.c:1797:(Urgent) system -Easy to run arbitrary commands through env vars. Also, potential TOCTOU -problems. -Use fork + execve instead. +virus.c:3637:(Urgent) sprintf +Non-constant format strings can often be attacked. +Use a constant format string. ---------------- -virus.c:3737:(Urgent) vsprintf -virus.c:3751:(Urgent) vsprintf +virus.c:3767:(Urgent) vsprintf +virus.c:3782:(Urgent) vsprintf Non-constant format strings can often be attacked. Use a constant format string. ---------------- -virus.c:740:(Very Risky) sprintf +virus.c:743:(Very Risky) sprintf This function is high risk for buffer overflows Use snprintf if available, or precision specifiers, if available. ---------------- -virus.c:1835:(Very Risky) stat +virus.c:1853:(Very Risky) stat Potential race condition on: (char*)fn Points of concern are: -virus.c:1835: stat -virus.c:3480: stat -virus.c:3517: open -virus.c:3523: open -virus.c:3561: open +virus.c:1853: stat +virus.c:3508: stat +virus.c:3545: open +virus.c:3551: open +virus.c:3589: open Manipulate file descriptors, not symbolic names, when possible. ---------------- -virus.c:692:(Very Risky) strcat -virus.c:696:(Very Risky) strcat -virus.c:699:(Very Risky) strcat -virus.c:3007:(Very Risky) strcat -virus.c:3015:(Very Risky) strcat -virus.c:3017:(Very Risky) strcat -virus.c:3621:(Very Risky) strcat -virus.c:3626:(Very Risky) strcat -virus.c:3739:(Very Risky) strcat -This function is high risk for buffer overflows -Use strncat instead. ----------------- -virus.c:1762:(Very Risky) strcpy -virus.c:3440:(Very Risky) strcpy -virus.c:3736:(Very Risky) strcpy -This function is high risk for buffer overflows -Use strncpy instead. ----------------- -virus.c:635:(Risky) lrand48 -virus.c:661:(Risky) lrand48 -virus.c:675:(Risky) lrand48 -virus.c:682:(Risky) lrand48 -virus.c:686:(Risky) lrand48 -virus.c:687:(Risky) lrand48 -virus.c:690:(Risky) lrand48 -virus.c:692:(Risky) lrand48 -virus.c:696:(Risky) lrand48 -virus.c:699:(Risky) lrand48 +virus.c:327:(Risky) srand Don't use rand() and friends for security-critical needs. Use better sources of randomness, like /dev/random (linux) or Yarrow (windows). ---------------- -virus.c:324:(Risky) srand +virus.c:638:(Risky) lrand48 +virus.c:664:(Risky) lrand48 +virus.c:678:(Risky) lrand48 +virus.c:685:(Risky) lrand48 +virus.c:689:(Risky) lrand48 +virus.c:690:(Risky) lrand48 +virus.c:693:(Risky) lrand48 +virus.c:695:(Risky) lrand48 +virus.c:699:(Risky) lrand48 +virus.c:702:(Risky) lrand48 Don't use rand() and friends for security-critical needs. Use better sources of randomness, like /dev/random (linux) or Yarrow (windows). ---------------- -virus.c:351:(Some risk) getopt +virus.c:1732:(Risky) stat +virus.c:3502:(Risky) stat +Can lead to process/file interaction race conditions (TOCTOU category A) +Manipulate file descriptors, not symbolic names, when possible. +---------------- +virus.c:354:(Some risk) getopt Depending on the lib implementation, can be a buffer overflow problem. Truncate all str inputs to a reasonable size before calling this. ---------------- -virus.c:743:(Some risk) read -virus.c:3331:(Some risk) read -virus.c:3364:(Some risk) read -virus.c:3534:(Some risk) read +virus.c:746:(Some risk) read +virus.c:3350:(Some risk) read +virus.c:3383:(Some risk) read +virus.c:3562:(Some risk) read Be careful not to introduce a buffer overflow when using in a loop. Make sure to check your buffer boundries. ---------------- diff -ruN virus-0.0.5/virus.c virus-0.0.6/virus.c --- virus-0.0.5/virus.c Mon Jan 6 01:28:43 2003 +++ virus-0.0.6/virus.c Mon Sep 8 13:46:04 2003 @@ -22,7 +22,7 @@ */ char *vi_Version = - "$Id: virus.c,v 0.0.5 2003/01/06 01:27:38 ripclaw Exp $"; + "$Id: virus.c,v 0.0.6 2003/09/08 13:07:21 ripclaw Exp $"; /* * To compile: @@ -81,6 +81,7 @@ #include #include #include +#include #include #include "lib/last_char_is.c" @@ -1776,8 +1777,8 @@ while (isblnk(*buf)) buf++; /* FIXED strcpy((char *) args, (char *) buf); */ - strlcpy((char *) args, (char *) buf, (strlen((char *) buf) +1 )); - buf1 = last_char_is((char *)cmd, '!'); + if (strlcpy((char *) args, (char *) buf, sizeof((char *)args)) > sizeof((char *)args)) err(1, "strlcpy overflow in function colon"); + buf1 = (Byte *)last_char_is((char *)cmd, '!'); if (buf1) { useforce = TRUE; *buf1 = '\0'; // get rid of ! @@ -1811,7 +1812,7 @@ place_cursor(rows - 1, 0, FALSE); // go to Status line clear_to_eol(); // clear the line cookmode(); - system(orig_buf+1); // run the cmd + system((char *)orig_buf+1); // run the cmd rawmode(); Hit_Return(); // let user see results (void) alarm(3); // done waiting for input @@ -1835,10 +1836,10 @@ psbs("No write since last change (:edit! overrides)"); goto vc1; } - if (strlen(args) > 0) { + if (strlen((char *)args) > 0) { // the user supplied a file name fn= args; - } else if (cfn != 0 && strlen(cfn) > 0) { + } else if (cfn != 0 && strlen((char *)cfn) > 0) { // no user supplied name- use the current filename fn= cfn; goto vc5; @@ -3464,7 +3465,7 @@ static Byte *obufp = NULL; /* FIXED strcpy((char *) buf, (char *) prompt); */ - strlcpy((char *) buf, (char *) prompt, BUFSIZ); + if (strlcpy((char *) buf, (char *) prompt, sizeof((char *)buf)) > sizeof ((char *) buf)) err(1, "strlcpy overflow in function get_input_line"); *status_buffer = '\0'; // clear the status buffer place_cursor(rows - 1, 0, FALSE); // go to Status line, bottom of screen clear_to_eol(); // clear the line