Caldera Security Advisory SA-1998.34: Buffer overflow in tcsh

Topic: Buffer overflow in tcsh
Advisory issue date: 7 November 1998


I. Problem Description

  A buffer overflow can be caused in tcsh which could potentially be
  exploited.

II. Impact

Description:

  This is the problem description for bash-1.14.7, but it is also valid
  for tcsh-6.07.02.
  If you cd in to a directory which has a path name larger than 1024
  bytes and you have 'w' included in your PS1 environment variable
  (which makes the path to the current working directory appear in each
  command line prompt), a buffer overflow will occur.

Vulnerable Systems:

  OpenLinux 1.0, 1.1, 1.2, 1.3 systems using bash packages prior to
  tcsh-6.07.02-2.


III. Solution


Correction:

        The proper solution is to upgrade to the tcsh-6.08.00-1 package.

        They can be found on Caldera's FTP site at:
  ftp://ftp.caldera.com/pub/OpenLinux/updates/1.3/current/RPMS

        The corresponding source code can be found at:
  ftp://ftp.caldera.com/pub/OpenLinux/updates/1.3/current/SRPMS

  The MD5 checksums (from the "md5sum" command) for these
  packages are:

5a2cc4cc4cc766de89866c2ac4f12d1b  RPMS/tcsh-6.08.00-1.i386.rpm
8eaf0da446db368c6993b0c39feaddf3  RPMS/tcsh-doc-html-6.08.00-1.i386.rpm
2d25bb4d31d3a136665885152ff1624f  SRPMS/tcsh-6.08.00-1.src.rpm

        Upgrade with the following commands:

  rpm -q tcsh & rpm -U tcsh-6.08.00-1.i386.rpm
  rpm -q tcsh-doc-html & rpm -U tcsh-doc-html-6.08.00-1.i386.rpm


IV. References

        This and other Caldera security resources are located at:
  http://www.caldera.com/news/security/index.html

        Additional documentation on a similar problem with bash can be
  found in:
  http://www.geek-girl.com/bugtraq/1998_3/0761.html

        This security fix closes Caldera's internal Problem Report 4161.