2005-11-10 17:30:04 +01:00
|
|
|
$NetBSD: patch-ac,v 1.3 2005/11/10 16:30:04 joerg Exp $
|
Initial import of tcx-19940124 into the NetBSD Packages Collection.
TCX is a system designed for the transparent decompression, execution
and recompression of executables under Unix. It allows configuration
options such as the type of compression system used (compress(1),
gzip(1), your own local system etc), timeouts between recompressions,
and emergency directories in case a decompression fails from shortage
of disk space. The system is designed with a reasonable amount of
robustness in mind, such as in the event of system crashes, or races
on trying to uncompress, compress or execute something.
This software is quite old (vintage 1993-94), and some things have moved
on since then. In particular, untcx is setuid root. I have done a minor
security audit, but anyone installing this software is invited to conduct
one for themselves.
===========================================================================
$NetBSD: MESSAGE,v 1.2 2002/09/12 19:37:07 wiz Exp $
WARNING - this package contains a setuid root executable called
untcx, which was written in 1994, and contained calls to getwd(3),
sprintf(3), strcpy(3) and strcat(3). I've done a minor audit of
the code, and have fixed the above functions with calls to safer
alternatives, but you may wish to delete this package from your
own systems until you have carried out your own audit.
===========================================================================
2003-06-23 15:55:24 +02:00
|
|
|
|
2005-11-10 17:30:04 +01:00
|
|
|
--- untcx.c.orig 1994-01-09 22:47:53.000000000 +0000
|
|
|
|
|
+++ untcx.c
|
|
|
|
|
@@ -48,7 +48,6 @@ pstat *pihash[MAXOPENFILES];
|
|
|
|
|
void update_pstat_info();
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
-extern int errno;
|
|
|
|
|
path *worklist = NULL, *freelist = NULL;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@@ -166,9 +165,9 @@ int local;
|
Initial import of tcx-19940124 into the NetBSD Packages Collection.
TCX is a system designed for the transparent decompression, execution
and recompression of executables under Unix. It allows configuration
options such as the type of compression system used (compress(1),
gzip(1), your own local system etc), timeouts between recompressions,
and emergency directories in case a decompression fails from shortage
of disk space. The system is designed with a reasonable amount of
robustness in mind, such as in the event of system crashes, or races
on trying to uncompress, compress or execute something.
This software is quite old (vintage 1993-94), and some things have moved
on since then. In particular, untcx is setuid root. I have done a minor
security audit, but anyone installing this software is invited to conduct
one for themselves.
===========================================================================
$NetBSD: MESSAGE,v 1.2 2002/09/12 19:37:07 wiz Exp $
WARNING - this package contains a setuid root executable called
untcx, which was written in 1994, and contained calls to getwd(3),
sprintf(3), strcpy(3) and strcat(3). I've done a minor audit of
the code, and have fixed the above functions with calls to safer
alternatives, but you may wish to delete this package from your
own systems until you have carried out your own audit.
===========================================================================
2003-06-23 15:55:24 +02:00
|
|
|
|
|
|
|
|
/* Set global paths */
|
|
|
|
|
|
|
|
|
|
- (void)sprintf(logpath, "%s/log", ENFSDIR);
|
|
|
|
|
- (void)sprintf(logtmppath, "%s/logtmp", ENFSDIR);
|
|
|
|
|
- (void)sprintf(lockpath, "%s/.lock", ENFSDIR);
|
|
|
|
|
+ (void)snprintf(logpath, sizeof(logpath), "%s/log", ENFSDIR);
|
|
|
|
|
+ (void)snprintf(logtmppath, sizeof(logtmppath), "%s/logtmp", ENFSDIR);
|
|
|
|
|
+ (void)snprintf(lockpath, sizeof(lockpath), "%s/.lock", ENFSDIR);
|
|
|
|
|
|
|
|
|
|
/* Check and start tcxd as required */
|
|
|
|
|
|
2005-11-10 17:30:04 +01:00
|
|
|
@@ -185,16 +184,16 @@ int local;
|
Initial import of tcx-19940124 into the NetBSD Packages Collection.
TCX is a system designed for the transparent decompression, execution
and recompression of executables under Unix. It allows configuration
options such as the type of compression system used (compress(1),
gzip(1), your own local system etc), timeouts between recompressions,
and emergency directories in case a decompression fails from shortage
of disk space. The system is designed with a reasonable amount of
robustness in mind, such as in the event of system crashes, or races
on trying to uncompress, compress or execute something.
This software is quite old (vintage 1993-94), and some things have moved
on since then. In particular, untcx is setuid root. I have done a minor
security audit, but anyone installing this software is invited to conduct
one for themselves.
===========================================================================
$NetBSD: MESSAGE,v 1.2 2002/09/12 19:37:07 wiz Exp $
WARNING - this package contains a setuid root executable called
untcx, which was written in 1994, and contained calls to getwd(3),
sprintf(3), strcpy(3) and strcat(3). I've done a minor audit of
the code, and have fixed the above functions with calls to safer
alternatives, but you may wish to delete this package from your
own systems until you have carried out your own audit.
===========================================================================
2003-06-23 15:55:24 +02:00
|
|
|
|
|
|
|
|
/* Grab argv[0] and resolve to full path name via getwd() */
|
|
|
|
|
|
|
|
|
|
- if(getwd(cwd) == NULL)
|
|
|
|
|
+ if(getcwd(cwd, sizeof(cwd)) == NULL)
|
|
|
|
|
{
|
|
|
|
|
(void)fprintf(stderr, "Get Working Directory Error: %s\n", cwd);
|
|
|
|
|
exit(-1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(*argv[0] == '/')
|
|
|
|
|
- (void)strcpy(realdir, argv[0]);
|
|
|
|
|
+ (void)strlcpy(realdir, argv[0], sizeof(realdir));
|
|
|
|
|
else
|
|
|
|
|
- (void)sprintf(realdir, "%s/%s", cwd, argv[0]);
|
|
|
|
|
+ (void)snprintf(realdir, sizeof(realdir), "%s/%s", cwd, argv[0]);
|
|
|
|
|
for(;;)
|
|
|
|
|
{
|
|
|
|
|
if((c = strrchr(realdir, '/')) == NULL)
|
2005-11-10 17:30:04 +01:00
|
|
|
@@ -203,7 +202,7 @@ int local;
|
Initial import of tcx-19940124 into the NetBSD Packages Collection.
TCX is a system designed for the transparent decompression, execution
and recompression of executables under Unix. It allows configuration
options such as the type of compression system used (compress(1),
gzip(1), your own local system etc), timeouts between recompressions,
and emergency directories in case a decompression fails from shortage
of disk space. The system is designed with a reasonable amount of
robustness in mind, such as in the event of system crashes, or races
on trying to uncompress, compress or execute something.
This software is quite old (vintage 1993-94), and some things have moved
on since then. In particular, untcx is setuid root. I have done a minor
security audit, but anyone installing this software is invited to conduct
one for themselves.
===========================================================================
$NetBSD: MESSAGE,v 1.2 2002/09/12 19:37:07 wiz Exp $
WARNING - this package contains a setuid root executable called
untcx, which was written in 1994, and contained calls to getwd(3),
sprintf(3), strcpy(3) and strcat(3). I've done a minor audit of
the code, and have fixed the above functions with calls to safer
alternatives, but you may wish to delete this package from your
own systems until you have carried out your own audit.
===========================================================================
2003-06-23 15:55:24 +02:00
|
|
|
exit(-1);
|
|
|
|
|
}
|
|
|
|
|
c++;
|
|
|
|
|
- (void)strcpy(execname, c);
|
|
|
|
|
+ (void)strlcpy(execname, c, sizeof(execname));
|
|
|
|
|
*c = '\0';
|
|
|
|
|
|
|
|
|
|
if(chdir(realdir) < 0) /* Oops. Failed. Report and quit. */
|
2005-11-10 17:30:04 +01:00
|
|
|
@@ -212,7 +211,7 @@ int local;
|
Initial import of tcx-19940124 into the NetBSD Packages Collection.
TCX is a system designed for the transparent decompression, execution
and recompression of executables under Unix. It allows configuration
options such as the type of compression system used (compress(1),
gzip(1), your own local system etc), timeouts between recompressions,
and emergency directories in case a decompression fails from shortage
of disk space. The system is designed with a reasonable amount of
robustness in mind, such as in the event of system crashes, or races
on trying to uncompress, compress or execute something.
This software is quite old (vintage 1993-94), and some things have moved
on since then. In particular, untcx is setuid root. I have done a minor
security audit, but anyone installing this software is invited to conduct
one for themselves.
===========================================================================
$NetBSD: MESSAGE,v 1.2 2002/09/12 19:37:07 wiz Exp $
WARNING - this package contains a setuid root executable called
untcx, which was written in 1994, and contained calls to getwd(3),
sprintf(3), strcpy(3) and strcat(3). I've done a minor audit of
the code, and have fixed the above functions with calls to safer
alternatives, but you may wish to delete this package from your
own systems until you have carried out your own audit.
===========================================================================
2003-06-23 15:55:24 +02:00
|
|
|
exit(-1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- if(getwd(realdir) == NULL)
|
|
|
|
|
+ if(getcwd(realdir, sizeof(realdir)) == NULL)
|
|
|
|
|
{
|
|
|
|
|
(void)fprintf(stderr, "Get Working Directory Error: %s\n", cwd);
|
|
|
|
|
exit(-1);
|
2005-11-10 17:30:04 +01:00
|
|
|
@@ -238,11 +237,11 @@ int local;
|
Initial import of tcx-19940124 into the NetBSD Packages Collection.
TCX is a system designed for the transparent decompression, execution
and recompression of executables under Unix. It allows configuration
options such as the type of compression system used (compress(1),
gzip(1), your own local system etc), timeouts between recompressions,
and emergency directories in case a decompression fails from shortage
of disk space. The system is designed with a reasonable amount of
robustness in mind, such as in the event of system crashes, or races
on trying to uncompress, compress or execute something.
This software is quite old (vintage 1993-94), and some things have moved
on since then. In particular, untcx is setuid root. I have done a minor
security audit, but anyone installing this software is invited to conduct
one for themselves.
===========================================================================
$NetBSD: MESSAGE,v 1.2 2002/09/12 19:37:07 wiz Exp $
WARNING - this package contains a setuid root executable called
untcx, which was written in 1994, and contained calls to getwd(3),
sprintf(3), strcpy(3) and strcat(3). I've done a minor audit of
the code, and have fixed the above functions with calls to safer
alternatives, but you may wish to delete this package from your
own systems until you have carried out your own audit.
===========================================================================
2003-06-23 15:55:24 +02:00
|
|
|
}
|
|
|
|
|
execpath[len] = '\0';
|
|
|
|
|
if(execpath[0] == '/')
|
|
|
|
|
- (void)strcpy(realdir, execpath);
|
|
|
|
|
+ (void)strlcpy(realdir, execpath, sizeof(realdir));
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
- (void)strcat(realdir, "/");
|
|
|
|
|
- (void)strcat(realdir, execpath);
|
|
|
|
|
+ (void)strlcat(realdir, "/", sizeof(realdir));
|
|
|
|
|
+ (void)strlcat(realdir, execpath, sizeof(realdir));
|
|
|
|
|
}
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2005-11-10 17:30:04 +01:00
|
|
|
@@ -291,8 +290,8 @@ int local;
|
Initial import of tcx-19940124 into the NetBSD Packages Collection.
TCX is a system designed for the transparent decompression, execution
and recompression of executables under Unix. It allows configuration
options such as the type of compression system used (compress(1),
gzip(1), your own local system etc), timeouts between recompressions,
and emergency directories in case a decompression fails from shortage
of disk space. The system is designed with a reasonable amount of
robustness in mind, such as in the event of system crashes, or races
on trying to uncompress, compress or execute something.
This software is quite old (vintage 1993-94), and some things have moved
on since then. In particular, untcx is setuid root. I have done a minor
security audit, but anyone installing this software is invited to conduct
one for themselves.
===========================================================================
$NetBSD: MESSAGE,v 1.2 2002/09/12 19:37:07 wiz Exp $
WARNING - this package contains a setuid root executable called
untcx, which was written in 1994, and contained calls to getwd(3),
sprintf(3), strcpy(3) and strcat(3). I've done a minor audit of
the code, and have fixed the above functions with calls to safer
alternatives, but you may wish to delete this package from your
own systems until you have carried out your own audit.
===========================================================================
2003-06-23 15:55:24 +02:00
|
|
|
#else
|
|
|
|
|
if(setreuid(getuid(), getuid()) < 0) { perror("setreuid"); exit(-1); }
|
|
|
|
|
#endif
|
|
|
|
|
- (void)sprintf(tcxtarg, "%s/%s", realdir, execname);
|
|
|
|
|
- (void)sprintf(untcxtmp, "%s/.untcx.%s", realdir, execname);
|
|
|
|
|
+ (void)snprintf(tcxtarg, sizeof(tcxtarg), "%s/%s", realdir, execname);
|
|
|
|
|
+ (void)snprintf(untcxtmp, sizeof(untcxtmp), "%s/.untcx.%s", realdir, execname);
|
|
|
|
|
just_untcx(tcxtarg, untcxtmp);
|
|
|
|
|
exit(0);
|
|
|
|
|
}
|
2005-11-10 17:30:04 +01:00
|
|
|
@@ -302,8 +301,8 @@ int local;
|
Initial import of tcx-19940124 into the NetBSD Packages Collection.
TCX is a system designed for the transparent decompression, execution
and recompression of executables under Unix. It allows configuration
options such as the type of compression system used (compress(1),
gzip(1), your own local system etc), timeouts between recompressions,
and emergency directories in case a decompression fails from shortage
of disk space. The system is designed with a reasonable amount of
robustness in mind, such as in the event of system crashes, or races
on trying to uncompress, compress or execute something.
This software is quite old (vintage 1993-94), and some things have moved
on since then. In particular, untcx is setuid root. I have done a minor
security audit, but anyone installing this software is invited to conduct
one for themselves.
===========================================================================
$NetBSD: MESSAGE,v 1.2 2002/09/12 19:37:07 wiz Exp $
WARNING - this package contains a setuid root executable called
untcx, which was written in 1994, and contained calls to getwd(3),
sprintf(3), strcpy(3) and strcat(3). I've done a minor audit of
the code, and have fixed the above functions with calls to safer
alternatives, but you may wish to delete this package from your
own systems until you have carried out your own audit.
===========================================================================
2003-06-23 15:55:24 +02:00
|
|
|
|
|
|
|
|
if(local)
|
|
|
|
|
{
|
|
|
|
|
- (void)sprintf(tcxtarg, "%s/%s", realdir, execname);
|
|
|
|
|
- (void)sprintf(untcxtmp, "%s/.untcx.%s", realdir, execname);
|
|
|
|
|
+ (void)snprintf(tcxtarg, sizeof(tcxtarg), "%s/%s", realdir, execname);
|
|
|
|
|
+ (void)snprintf(untcxtmp, sizeof(untcxtmp), "%s/.untcx.%s", realdir, execname);
|
|
|
|
|
untcx_and_exec_local(tcxtarg, untcxtmp, &(argv[1]));
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2005-11-10 17:30:04 +01:00
|
|
|
@@ -315,7 +314,7 @@ int local;
|
Initial import of tcx-19940124 into the NetBSD Packages Collection.
TCX is a system designed for the transparent decompression, execution
and recompression of executables under Unix. It allows configuration
options such as the type of compression system used (compress(1),
gzip(1), your own local system etc), timeouts between recompressions,
and emergency directories in case a decompression fails from shortage
of disk space. The system is designed with a reasonable amount of
robustness in mind, such as in the event of system crashes, or races
on trying to uncompress, compress or execute something.
This software is quite old (vintage 1993-94), and some things have moved
on since then. In particular, untcx is setuid root. I have done a minor
security audit, but anyone installing this software is invited to conduct
one for themselves.
===========================================================================
$NetBSD: MESSAGE,v 1.2 2002/09/12 19:37:07 wiz Exp $
WARNING - this package contains a setuid root executable called
untcx, which was written in 1994, and contained calls to getwd(3),
sprintf(3), strcpy(3) and strcat(3). I've done a minor audit of
the code, and have fixed the above functions with calls to safer
alternatives, but you may wish to delete this package from your
own systems until you have carried out your own audit.
===========================================================================
2003-06-23 15:55:24 +02:00
|
|
|
for(c = realdir; *c ; c++)
|
|
|
|
|
if(*c == '/')
|
|
|
|
|
*c = '=';
|
|
|
|
|
- (void)sprintf(tcxtarg, "%s/%s", ENFSDIR, realdir);
|
|
|
|
|
+ (void)snprintf(tcxtarg, sizeof(tcxtarg), "%s/%s", ENFSDIR, realdir);
|
|
|
|
|
if(mkdir(tcxtarg, 0777) < 0)
|
|
|
|
|
if(errno != EEXIST)
|
|
|
|
|
{
|
2005-11-10 17:30:04 +01:00
|
|
|
@@ -323,9 +322,9 @@ int local;
|
Initial import of tcx-19940124 into the NetBSD Packages Collection.
TCX is a system designed for the transparent decompression, execution
and recompression of executables under Unix. It allows configuration
options such as the type of compression system used (compress(1),
gzip(1), your own local system etc), timeouts between recompressions,
and emergency directories in case a decompression fails from shortage
of disk space. The system is designed with a reasonable amount of
robustness in mind, such as in the event of system crashes, or races
on trying to uncompress, compress or execute something.
This software is quite old (vintage 1993-94), and some things have moved
on since then. In particular, untcx is setuid root. I have done a minor
security audit, but anyone installing this software is invited to conduct
one for themselves.
===========================================================================
$NetBSD: MESSAGE,v 1.2 2002/09/12 19:37:07 wiz Exp $
WARNING - this package contains a setuid root executable called
untcx, which was written in 1994, and contained calls to getwd(3),
sprintf(3), strcpy(3) and strcat(3). I've done a minor audit of
the code, and have fixed the above functions with calls to safer
alternatives, but you may wish to delete this package from your
own systems until you have carried out your own audit.
===========================================================================
2003-06-23 15:55:24 +02:00
|
|
|
exit(-1);
|
|
|
|
|
}
|
|
|
|
|
(void)chmod(tcxtarg, 0777);
|
|
|
|
|
- (void)strcat(tcxtarg,"/");
|
|
|
|
|
- (void)strcat(tcxtarg, execname);
|
|
|
|
|
- (void)sprintf(untcxtmp, "%s/%s/.untcx.%s", ENFSDIR, realdir, execname);
|
|
|
|
|
+ (void)strlcat(tcxtarg,"/", sizeof(tcxtarg));
|
|
|
|
|
+ (void)strlcat(tcxtarg, execname, sizeof(tcxtarg));
|
|
|
|
|
+ (void)snprintf(untcxtmp, sizeof(untcxtmp), "%s/%s/.untcx.%s", ENFSDIR, realdir, execname);
|
|
|
|
|
|
|
|
|
|
untcx_and_exec_nfs(argv[0], untcxtmp, tcxtarg, &(argv[1]));
|
|
|
|
|
|
2005-11-10 17:30:04 +01:00
|
|
|
@@ -415,7 +414,7 @@ int lastoff;
|
Initial import of tcx-19940124 into the NetBSD Packages Collection.
TCX is a system designed for the transparent decompression, execution
and recompression of executables under Unix. It allows configuration
options such as the type of compression system used (compress(1),
gzip(1), your own local system etc), timeouts between recompressions,
and emergency directories in case a decompression fails from shortage
of disk space. The system is designed with a reasonable amount of
robustness in mind, such as in the event of system crashes, or races
on trying to uncompress, compress or execute something.
This software is quite old (vintage 1993-94), and some things have moved
on since then. In particular, untcx is setuid root. I have done a minor
security audit, but anyone installing this software is invited to conduct
one for themselves.
===========================================================================
$NetBSD: MESSAGE,v 1.2 2002/09/12 19:37:07 wiz Exp $
WARNING - this package contains a setuid root executable called
untcx, which was written in 1994, and contained calls to getwd(3),
sprintf(3), strcpy(3) and strcat(3). I've done a minor audit of
the code, and have fixed the above functions with calls to safer
alternatives, but you may wish to delete this package from your
own systems until you have carried out your own audit.
===========================================================================
2003-06-23 15:55:24 +02:00
|
|
|
|
|
|
|
|
/* Write our process id to the lock file. Don't really care if fails. */
|
|
|
|
|
|
|
|
|
|
- (void)sprintf(spid, "%d\n", getpid());
|
|
|
|
|
+ (void)snprintf(spid, sizeof(spid), "%d\n", getpid());
|
|
|
|
|
(void)write(lkfd, spid, strlen(spid));
|
|
|
|
|
|
|
|
|
|
#ifdef UNPACK_IN_PLACE
|
2005-11-10 17:30:04 +01:00
|
|
|
@@ -810,30 +809,30 @@ int len;
|
Initial import of tcx-19940124 into the NetBSD Packages Collection.
TCX is a system designed for the transparent decompression, execution
and recompression of executables under Unix. It allows configuration
options such as the type of compression system used (compress(1),
gzip(1), your own local system etc), timeouts between recompressions,
and emergency directories in case a decompression fails from shortage
of disk space. The system is designed with a reasonable amount of
robustness in mind, such as in the event of system crashes, or races
on trying to uncompress, compress or execute something.
This software is quite old (vintage 1993-94), and some things have moved
on since then. In particular, untcx is setuid root. I have done a minor
security audit, but anyone installing this software is invited to conduct
one for themselves.
===========================================================================
$NetBSD: MESSAGE,v 1.2 2002/09/12 19:37:07 wiz Exp $
WARNING - this package contains a setuid root executable called
untcx, which was written in 1994, and contained calls to getwd(3),
sprintf(3), strcpy(3) and strcat(3). I've done a minor audit of
the code, and have fixed the above functions with calls to safer
alternatives, but you may wish to delete this package from your
own systems until you have carried out your own audit.
===========================================================================
2003-06-23 15:55:24 +02:00
|
|
|
|
|
|
|
|
/* resolve first stage of argv[0] */
|
|
|
|
|
|
|
|
|
|
- if(getwd(cwd) == NULL) { (void)fprintf(stderr, "Get Working Directory Error: %s\n", cwd); exit(-1); }
|
|
|
|
|
+ if(getcwd(cwd, sizeof(cwd)) == NULL) { (void)fprintf(stderr, "Get Working Directory Error: %s\n", cwd); exit(-1); }
|
|
|
|
|
|
|
|
|
|
- if(*argv[0] == '/') (void)strcpy(realdir, argv[0]); else (void)sprintf(realdir, "%s/%s", cwd, argv[0]);
|
|
|
|
|
+ if(*argv[0] == '/') (void)strlcpy(realdir, argv[0], sizeof(realdir)); else (void)snprintf(realdir, sizeof(realdir), "%s/%s", cwd, argv[0]);
|
|
|
|
|
|
|
|
|
|
if((c = strrchr(realdir, '/')) == NULL) { (void)fprintf(stderr, "Help! Internal corruption of variables!\n"); exit(-1); }
|
|
|
|
|
|
|
|
|
|
- c++; (void)strcpy(execname, c); *c = '\0';
|
|
|
|
|
+ c++; (void)strlcpy(execname, c, sizeof(execname)); *c = '\0';
|
|
|
|
|
|
|
|
|
|
if(chdir(realdir) < 0) { perror(realdir); exit(-1); }
|
|
|
|
|
|
|
|
|
|
- if(getwd(realdir) == NULL) { (void)fprintf(stderr, "Get Working Directory Error: %s\n", cwd); exit(-1); }
|
|
|
|
|
+ if(getcwd(realdir, sizeof(realdir)) == NULL) { (void)fprintf(stderr, "Get Working Directory Error: %s\n", cwd); exit(-1); }
|
|
|
|
|
|
|
|
|
|
for(c = realdir; *c; c++)
|
|
|
|
|
if(*c == '/')
|
|
|
|
|
*c = '=';
|
|
|
|
|
- (void)sprintf(linkpath, "%s/%s", ENFSDIR, realdir);
|
|
|
|
|
+ (void)snprintf(linkpath, sizeof(linkpath), "%s/%s", ENFSDIR, realdir);
|
|
|
|
|
if(mkdir(linkpath, 0777) < 0)
|
|
|
|
|
{
|
|
|
|
|
if(errno != EEXIST) { perror(linkpath); exit(-1); }
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
(void)chmod(linkpath, 0777);
|
|
|
|
|
- (void)strcat(linkpath,"/");
|
|
|
|
|
- (void)strcat(linkpath, execname);
|
|
|
|
|
+ (void)strlcat(linkpath,"/", sizeof(linkpath));
|
|
|
|
|
+ (void)strlcat(linkpath, execname, sizeof(linkpath));
|
|
|
|
|
|
|
|
|
|
if(chdir(cwd) < 0) { perror(cwd); exit(-1); }
|
|
|
|
|
|
2005-11-10 17:30:04 +01:00
|
|
|
@@ -1244,7 +1243,7 @@ struct stat sb;
|
Initial import of tcx-19940124 into the NetBSD Packages Collection.
TCX is a system designed for the transparent decompression, execution
and recompression of executables under Unix. It allows configuration
options such as the type of compression system used (compress(1),
gzip(1), your own local system etc), timeouts between recompressions,
and emergency directories in case a decompression fails from shortage
of disk space. The system is designed with a reasonable amount of
robustness in mind, such as in the event of system crashes, or races
on trying to uncompress, compress or execute something.
This software is quite old (vintage 1993-94), and some things have moved
on since then. In particular, untcx is setuid root. I have done a minor
security audit, but anyone installing this software is invited to conduct
one for themselves.
===========================================================================
$NetBSD: MESSAGE,v 1.2 2002/09/12 19:37:07 wiz Exp $
WARNING - this package contains a setuid root executable called
untcx, which was written in 1994, and contained calls to getwd(3),
sprintf(3), strcpy(3) and strcat(3). I've done a minor audit of
the code, and have fixed the above functions with calls to safer
alternatives, but you may wish to delete this package from your
own systems until you have carried out your own audit.
===========================================================================
2003-06-23 15:55:24 +02:00
|
|
|
if((curr = (path *)malloc(sizeof(path))) == NULL)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
- (void)strcpy(curr->path, newpath);
|
|
|
|
|
+ (void)strlcpy(curr->path, newpath, sizeof(curr->path));
|
|
|
|
|
#ifdef UNPACK_IN_PLACE
|
|
|
|
|
curr->pid = -1;
|
|
|
|
|
(strstr(newpath, ENFSDIR) == newpath) ? (curr->local = 0) : (curr->local = 1);
|
2005-11-10 17:30:04 +01:00
|
|
|
@@ -1313,7 +1312,7 @@ int
|
2003-09-23 10:46:45 +02:00
|
|
|
dodecode(int infd, int outfd)
|
|
|
|
|
{
|
|
|
|
|
int pid;
|
|
|
|
|
-#if defined(IRIX) || defined(AIX)
|
|
|
|
|
+#if defined(IRIX) || defined(AIX) || defined(sun)
|
|
|
|
|
int status;
|
|
|
|
|
#else
|
|
|
|
|
union wait status;
|
