Package: lsat Version: 0.9.7.1-1 Severity: normal
I prepared a quick fix against buffer overflows. Some fixes against 'unsecure practices' are also included.
--- lsatmain.c.orig 2009-06-12 11:15:32.000000000 +0200 +++ lsatmain.c 2009-06-12 11:58:59.000000000 +0200 # remove unnecessary constants @@ -73,7 +73,7 @@ char *token; char tempstring[26]; char line[256]; - char thelist[33][12] = { {"pkgs"}, {"rpm"}, {"inetd"}, {"inittab"}, {"logging"}, {"set"}, {"write"}, {"dotfiles"}, {"passwd"}, {"files"}, {"umask"}, {"ftpusers"}, {"rc"}, {"kbd"}, {"limits"}, {"ssh"}, {"open"}, {"issue"}, {"www"}, {"md5"}, {"modules"}, {"securetty"}, {"perms"}, {"net"}, {"forward"}, {"promisc"}, {"listening"}, {"cfg"}, {"bpass"}, {"ipv4"}, {"startx"}, {"ftp"}, {"disk"} }; + static char *thelist[] = { "pkgs", "rpm", "inetd", "inittab", "logging", "set", "write", "dotfiles", "passwd", "files", "umask", "ftpusers", "rc", "kbd", "limits", "ssh", "open", "issue", "www", "md5", "modules", "securetty", "perms", "net", "forward", "promisc", "listening", "cfg", "bpass", "ipv4", "startx", "ftp", "disk" }; if ((fileptr = fopen(xlisting, "r"))==NULL) { @@ -101,7 +101,7 @@ /* see if they match. If they do, the user does */ /* not want to run that module, so we put it in */ /* another array of ints to look through later. */ - for (i=0;i<33;i++) + for (i=0;i<sizeof(thelist);i++) { if ((strcmp(thelist[i], tempstring)) == 0) { # duplicated flag @@ -155,7 +155,7 @@ /* this is silly, I should know how to do this more easily */ - if ((fileval = open("/tmp/lsat1.lsat", O_RDWR | O_CREAT | O_EXCL | O_EXCL, 0600)) < 0) + if ((fileval = open("/tmp/lsat1.lsat", O_RDWR | O_CREAT | O_EXCL, 0600)) < 0) { perror("Could not make file w/perms 0600...\n"); perror("Possible link attack while creating/opening file!\n"); # series of quick patches against segfaults @@ -308,11 +308,11 @@ */ char release[50]; /* array for release level */ char kernel[50]; /* what kernel user is running */ - static char *man_distro; /* if the user specifies a distribution */ + char *man_distro; /* if the user specifies a distribution */ const char * header =NULL; /* to print out the header */ - static char *out_file = "lsat.out"; /* output filename var */ + char *out_file = "lsat.out"; /* output filename var */ char xlist[100]; /* modules to exclude */ # always initialized to zero - int xarray[33] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}; + int xarray[33] = {}; int somethinginxlist = 0; /* note if no filename given, default = lsat.out */ FILE *tempptr; /* a temp file pointer */ @@ -350,10 +350,16 @@ diff = 1; break; case 'm': - strcpy(man_distro, argv[i]+3); + if (argv[i][2] != '\0') { + usage(); + } + man_distro = argv[i]+3; break; case 'o': - strcpy(out_file, argv[i]+3); + if (argv[i][2] != '\0') { + usage(); + } + out_file = argv[i]+3; break; case 'r': rpmmodule = 1; @@ -368,7 +374,11 @@ html = 1; out_file="lsat.html"; break; - case 'x': strcpy(xlist,argv[i]+3); + case 'x': + if (argv[i][2] != '\0') { + usage(); + } + strncpy(xlist,argv[i]+3,sizeof(xlist)); somethinginxlist = 1; break; default :