From b578202a58068d30d41e3f9cbe99c9ec95987c03 Mon Sep 17 00:00:00 2001 From: Satoshi Asami Date: Sun, 12 Mar 2000 07:21:27 +0000 Subject: Fix another remote buffer overflow. Obtained from: Bugtraq-JP (SPS Advisory #34) Submitted by: kuriyama --- japanese/FreeWnn-server/files/patch-ab | 39 ++++++++++- japanese/FreeWnn-server/files/patch-bl | 20 ------ japanese/FreeWnn-server/files/patch-ce | 33 +++++++++ japanese/FreeWnn-server/files/patch-cf | 13 ++++ japanese/FreeWnn-server/files/patch-cg | 16 +++++ japanese/FreeWnn-server/files/patch-ch | 122 +++++++++++++++++++++++++++++++++ 6 files changed, 221 insertions(+), 22 deletions(-) create mode 100644 japanese/FreeWnn-server/files/patch-ce create mode 100644 japanese/FreeWnn-server/files/patch-cf create mode 100644 japanese/FreeWnn-server/files/patch-cg create mode 100644 japanese/FreeWnn-server/files/patch-ch (limited to 'japanese/FreeWnn-server') diff --git a/japanese/FreeWnn-server/files/patch-ab b/japanese/FreeWnn-server/files/patch-ab index 92af97ad2933..c811c85af5e8 100644 --- a/japanese/FreeWnn-server/files/patch-ab +++ b/japanese/FreeWnn-server/files/patch-ab @@ -1,5 +1,5 @@ ---- ./Wnn/jserver/de.c.orig Fri Aug 19 10:31:23 1994 -+++ ./Wnn/jserver/de.c Fri Aug 1 18:54:55 1997 +--- Wnn/jserver/de.c~ Fri Aug 19 10:31:23 1994 ++++ Wnn/jserver/de.c Fri Mar 10 00:44:42 2000 @@ -65,6 +65,9 @@ #include @@ -27,3 +27,38 @@ } #if defined(hpux) || defined(SOLARIS) +@@ -542,10 +554,14 @@ + + /** **/ + void +-gets_cur(cp) ++gets_cur(cp, len) + register char *cp; ++int len; + { +- while((*cp++ = getc_cur()) != '\0'); ++ int i; ++ ++ for (i = 0; i < len; i++) ++ if ((*(cp + i) = getc_cur()) == '\0') break; + } + + /** **/ +@@ -648,6 +664,17 @@ + { + register int c; + while(c= *p++) putc_cur(c); ++ putc_cur(0); ++} ++ ++/** **/ ++void ++puts_n_cur(p,n) ++char *p; ++int n; ++{ ++ register int c; ++ while((c = *p++) && --n >= 0) putc_cur(c); + putc_cur(0); + } + diff --git a/japanese/FreeWnn-server/files/patch-bl b/japanese/FreeWnn-server/files/patch-bl index 4e20a1c280ec..63e65b164585 100644 --- a/japanese/FreeWnn-server/files/patch-bl +++ b/japanese/FreeWnn-server/files/patch-bl @@ -25,23 +25,3 @@ By KATAYAMA Yoshio put4_cur(jtl->syurui); put4_cur(jtl->gosuu); put4_cur(files[fid].localf); ---- Wnn/jserver/de.c.98-10-12 Mon Oct 12 01:01:28 1998 -+++ Wnn/jserver/de.c Sun Jan 24 14:50:14 1999 -@@ -665,6 +665,17 @@ - - /** **/ - void -+puts_n_cur(p,n) -+char *p; -+int n; -+{ -+ register int c; -+ while((c = *p++) && --n >= 0) putc_cur(c); -+ putc_cur(0); -+} -+ -+/** **/ -+void - putws_cur(p) - w_char *p; - { diff --git a/japanese/FreeWnn-server/files/patch-ce b/japanese/FreeWnn-server/files/patch-ce new file mode 100644 index 000000000000..7264669e5628 --- /dev/null +++ b/japanese/FreeWnn-server/files/patch-ce @@ -0,0 +1,33 @@ +--- Wnn/jserver/do_env.c~ Wed Apr 28 09:25:54 1993 ++++ Wnn/jserver/do_env.c Fri Mar 10 00:25:57 2000 +@@ -79,10 +79,10 @@ + char tmp_buf[256]; + + version = get4_cur(); +- gets_cur(tmp_buf); ++ gets_cur(tmp_buf, 256); + tmp_buf[WNN_HOSTLEN-1] = '\0'; /* truncate by WNN_HOSTLEN */ + strcpy(c_c->host_name, tmp_buf); +- gets_cur(tmp_buf); ++ gets_cur(tmp_buf, 256); + tmp_buf[WNN_ENVNAME_LEN-1] = '\0'; /* truncate by WNN_ENVNAME_LEN */ + strcpy(c_c->user_name, tmp_buf); + error1("Inet user=%s@%s\n",c_c -> user_name,c_c->host_name); +@@ -125,7 +125,7 @@ + js_connect() + {char n[256]; + register int x; +- gets_cur(n); ++ gets_cur(n, 256); + x=conn1(n); + if(x==-1){error_ret(); return;} + put4_cur(x); +@@ -184,7 +184,7 @@ + { + char n[256]; + +- gets_cur(n); ++ gets_cur(n, 256); + if(find_env_by_name(n) != -1){ /* exist */ + put4_cur(1); + }else{ diff --git a/japanese/FreeWnn-server/files/patch-cf b/japanese/FreeWnn-server/files/patch-cf new file mode 100644 index 000000000000..e9eb93a1ffb6 --- /dev/null +++ b/japanese/FreeWnn-server/files/patch-cf @@ -0,0 +1,13 @@ +--- Wnn/jserver/do_dic_env.c~ Wed Sep 30 14:25:06 1992 ++++ Wnn/jserver/do_dic_env.c Fri Mar 10 00:25:25 2000 +@@ -78,8 +78,8 @@ + nice=get4_cur(); + rw=get4_cur(); + hrw=get4_cur(); +- gets_cur(pw); +- gets_cur(pw1); ++ gets_cur(pw, WNN_PASSWD_LEN); ++ gets_cur(pw1, WNN_PASSWD_LEN); + rev=get4_cur(); /* rev is to add it as reverse dict */ + + error1("dic_add: eid=%d,fid=%d,hfid=%d",eid,fid,hfid); diff --git a/japanese/FreeWnn-server/files/patch-cg b/japanese/FreeWnn-server/files/patch-cg new file mode 100644 index 000000000000..a89d717ef51d --- /dev/null +++ b/japanese/FreeWnn-server/files/patch-cg @@ -0,0 +1,16 @@ +--- Wnn/jserver/dispatch.c~ Tue Sep 22 13:49:00 1992 ++++ Wnn/jserver/dispatch.c Fri Mar 10 00:24:44 2000 +@@ -308,9 +308,11 @@ + */ + + void +-get_file_name(p) register char *p; ++get_file_name(p, len) ++register char *p; ++int len; + { +- gets_cur(p); ++ gets_cur(p, len); + if(p[0] == 0){ + return; + } diff --git a/japanese/FreeWnn-server/files/patch-ch b/japanese/FreeWnn-server/files/patch-ch new file mode 100644 index 000000000000..3f0d73e0805d --- /dev/null +++ b/japanese/FreeWnn-server/files/patch-ch @@ -0,0 +1,122 @@ +--- Wnn/jserver/do_filecom.c~ Thu May 27 13:42:53 1993 ++++ Wnn/jserver/do_filecom.c Fri Mar 10 00:29:09 2000 +@@ -92,7 +92,7 @@ + {char path[FILENAME]; int x; + int err = 0; + err = envhandle(); +- get_file_name(path); ++ get_file_name(path, FILENAME); + + if(err == -1){ error_ret(); return;} + x=mkdir(path , MODE ); +@@ -117,7 +117,7 @@ + int eid; + + eid = envhandle(); +- get_file_name(path); ++ get_file_name(path, FILENAME); + if(eid == -1) {error_ret(); return;} + + if((fd = open(path , O_RDONLY)) >= 0){ +@@ -142,7 +142,7 @@ + int amode; + envhandle(); + amode=get4_cur(); +- get_file_name(path); ++ get_file_name(path, FILENAME); + + #ifdef WRITE_CHECK + check_backup(path); +@@ -222,7 +222,7 @@ + char n[FILENAME]; + + get4_cur(); /* env_id */ +- get_file_name(n); ++ get_file_name(n, FILENAME); + + put4_cur(file_stat(n)); + putc_purge(); +@@ -349,9 +349,9 @@ + + env_id=get4_cur(); /* env_id */ + fid=get4_cur(); +- get_file_name(fn); ++ get_file_name(fn, FILE_NAME_L); + getws_cur(com); +- gets_cur(hpasswd); ++ gets_cur(hpasswd, WNN_PASSWD_LEN); + if(find_fid_in_env(env_id,fid)==-1){ /* valid */ + wnn_errorno=WNN_FID_ERROR; + error_ret(); putc_purge(); return; +@@ -410,10 +410,10 @@ + w_char com[1024]; + char passwd[WNN_PASSWD_LEN], hpasswd[WNN_PASSWD_LEN]; + get4_cur(); /* env_id */ +- get_file_name(fn); ++ get_file_name(fn, FILE_NAME_L); + getws_cur(com); +- gets_cur(passwd); +- gets_cur(hpasswd); ++ gets_cur(passwd, WNN_PASSWD_LEN); ++ gets_cur(hpasswd, WNN_PASSWD_LEN); + type = get4_cur(); + + if(type != WNN_REV_DICT && +@@ -546,7 +546,7 @@ + int x; + + /* get4_cur(); env_id */ +- get_file_name(n); ++ get_file_name(n, FILE_NAME_L); + + if((x=file_loaded(n)) < 0) put4_cur(-1); + else put4_cur(x); +@@ -650,7 +650,7 @@ + + put4_cur(1); putc_purge(); + +- gets_cur(n); ++ gets_cur(n, FILE_NAME_L); + + /* read file */ + files[fid].localf= REMOTE; +@@ -674,7 +674,7 @@ + int env_id,fid; + + env_id=get4_cur(); /* env_id */ +- get_file_name(n); ++ get_file_name(n, FILE_NAME_L); + + fid = file_loaded(n); + if(fid == -1){ +@@ -742,7 +742,7 @@ + char n[FILE_NAME_L]; + env_id=get4_cur(); /* env_id */ + fid=get4_cur(); +- get_file_name(n); ++ get_file_name(n, FILE_NAME_L); + + if(find_fid_in_env(env_id,fid)==-1){ /* valid */ + wnn_errorno=WNN_FID_ERROR; +@@ -895,8 +895,8 @@ + char passwd[WNN_PASSWD_LEN]; + int x; + +- get_file_name(n); +- gets_cur(passwd); ++ get_file_name(n, FILE_NAME_L); ++ gets_cur(passwd, WNN_PASSWD_LEN); + + x = file_remove(n, passwd); + if(x == -1){ +@@ -958,8 +958,8 @@ + envi = get4_cur(); /* env_id */ + fid = get4_cur(); + which = get4_cur(); +- gets_cur(old); +- gets_cur(new); ++ gets_cur(old, WNN_PASSWD_LEN); ++ gets_cur(new, WNN_PASSWD_LEN); + + if(find_fid_in_env(envi,fid) == -1){ + wnn_errorno=WNN_FID_ERROR; -- cgit v1.2.3