This archive contains a binary copy of Linux LIBC 4.6.27 with syslog.c fixed to
correct the recent security hole that has been widely discussed.  The source
patch is shown below.  In addition to this change, this C library already has
the change:

#define _PATH_UTMP	"/var/run/utmp"
#define _PATH_WTMP	"/var/log/wtmp"
#define _PATH_LASTLOG	"/var/log/lastlog"

installed, which wasn't made until later revisions of the C library.  I already
made this transition myself to make life easier later on.  From the more recent
LIBC instructions, the following procedure should be performed to make the
environment compatible with this library:

1. lastlog, utmp and wtmp have been moved again by the Linux FS
   standard, the transition procedure is like this:

   a. If /var/log doesn't exist,

	cd /var; mv adm log; ln -s /var/log adm
	cd /var/log; mv utmp /var/run; ln -s /var/run/utmp .

   b. If /var/log exists,

	cd /var; mv adm/* log; rm -rf adm; ln -s /var/log adm
	cd /var/log; mv utmp /var/run; ln -s /var/run/utmp .

When I announced that I'd fixed my own copy of 4.6.27, several people asked for
a copy, so I am making these binaries available for those who do not yet wish
to upgrade from 4.6.27, and also are not interested in compiling their own copy
from source.  It was compiled using GCC 2.7.0.  Installation can be completed
by extracting the files and moving them into place.  Be careful when installing
files into /lib, as an error can leave a non-working system.

		Leonard


--- syslog.c-	Tue Aug 23 14:14:41 1994
+++ syslog.c	Thu Aug 31 23:53:27 1995
@@ -102,7 +102,9 @@
 	register char *p;
 	time_t now;
 	int fd, saved_errno;
-	char tbuf[2048], fmt_cpy[1024], *stdp;
+#define TBUFSIZ 2048
+#define FMTSIZ  1024
+	char tbuf[TBUFSIZ+3], fmt_cpy[FMTSIZ+1], *stdp;
 
 	saved_errno = errno;
 
@@ -118,7 +120,7 @@
 
 	/* Build the message. */
 	(void)time(&now);
-	(void)sprintf(tbuf, "<%d>%.15s ", pri, ctime(&now) + 4);
+	(void)snprintf(tbuf, TBUFSIZ, "<%d>%.15s ", pri, ctime(&now) + 4);
 	for (p = tbuf; *p; ++p);
 	if (LogStat & LOG_PERROR)
 		stdp = p;
@@ -127,7 +129,7 @@
 		for (; *p; ++p);
 	}
 	if (LogStat & LOG_PID) {
-		(void)sprintf(p, "[%d]", getpid());
+		(void)snprintf(p, TBUFSIZ-(p-tbuf), "[%d]", getpid());
 		for (; *p; ++p);
 	}
 	if (LogTag) {
@@ -137,20 +139,21 @@
 
 	/* Substitute error message for %m. */
 	{
-		register char ch, *t1, *t2;
+		register char ch, *t1;
 		char *strerror();
 
-		for (t1 = fmt_cpy; ch = *fmt; ++fmt)
+		for (t1 = fmt_cpy; (ch = *fmt) != '\0' && t1<fmt_cpy+FMTSIZ; ++fmt)
 			if (ch == '%' && fmt[1] == 'm') {
 				++fmt;
-				t1 += sprintf(t1, "%s", strerror(saved_errno));
+				t1 += snprintf(t1, FMTSIZ-(t1-fmt_cpy),
+					       "%s", strerror(saved_errno));
 			}
 			else
 				*t1++ = ch;
 		*t1 = '\0';
 	}
 
-	p += vsprintf(p, fmt_cpy, ap);
+	p += vsnprintf(p, TBUFSIZ-(p-tbuf), fmt_cpy, ap);
 	cnt = p - tbuf;
 
 	/* Output to stderr if requested. */
@@ -175,7 +178,7 @@
 	}
 	else
 	{
-		/* If the write fails, we try to reconect it next
+		/* If the write fails, we try to reconnect it next
 		 * time. */
 		closelog ();
 	}
