First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 112140
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 112140 depends on: Show dependency tree
Show dependency graph
Bug 112140 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-11-10 22:23 0000 
Red Hat reports: 
 
A buffer overflow issue was reported to our bugzilla. 
 
It seems when creating a cpio archive, it is possible to overflow a buffer 
on the stack with a very large file (sparse files should suffice).  This 
issue only affects 64 bit platforms as the sizeof(long) isn't large enough 
to cause an overflow on 32 bit systems.

------- Comment #1 From solar 2005-11-15 06:10:40 0000 ------- 
Do we have a link to a patch for this problem yet?

------- Comment #2 From Sune Kloppenborg Jeppesen 2005-11-15 08:44:28 0000 ------- 
Only the Redhat bug. I guess we can dig up a patch from them at some point. 
Otherwise I'll try V-S.

------- Comment #3 From Sune Kloppenborg Jeppesen 2005-11-15 08:46:16 0000 ------- 
Patch is attached to the Redhat bug now I see.

------- Comment #4 From Thierry Carrez (RETIRED) 2005-11-18 07:10:19 0000 ------- 
Base system please bump with patch

------- Comment #5 From solar 2005-11-20 05:38:43 0000 ------- 
Sadly the upstream patch does not apply cleanly to ours or even a vanilla
cpio-2.6

patching file src/copyout.c
Hunk #3 FAILED at 290.
1 out of 9 hunks FAILED -- saving rejects to file src/copyout.c.rej

Looking at the rej/patch hunk 3 is rather large. 
Larger than I feel confortable redoing for the sake of this bug.

Suggestion: contact upstream and request a vanilla patch or we need to find 
somebody who does not have anything todo for the better hanlf of a day. I think 
contacting upstream is probably the way to go.

------- Comment #6 From Thierry Carrez (RETIRED) 2005-11-25 05:07:25 0000 ------- 
Yes, upstream HEAD (on which the upstream/RedHat patches are) is quite far from
vanilla 2.6... Apart from the 64-bit checksum thing, there have been some TOCTOU
security updates and a few complete rewrites :/

So there are several options (stick to vanilla, HEAD, Debian patchset...), and
it's best for the maintainers (base-system herd) to choose between those, even
before contacting upstream at <gray@gnu.org.ua>...

------- Comment #7 From SpanKY 2005-12-01 01:45:21 0000 ------- 
cpio-2.6-r5 now in portage with patches from Fedora

------- Comment #8 From Thierry Carrez (RETIRED) 2005-12-01 03:14:28 0000 ------- 
Arches please test and mark stable. Only 64-bit arches are concerned, but
others
can/should mark it as well.

------- Comment #9 From Thierry Carrez (RETIRED) 2005-12-01 04:56:27 0000 ------- 
Hm. Not sure this is a security issue, in fact.

This happens when creating the cpio archive, meaning you'd have to create a very
strange content and entice someone else to create an archive with it...

Apparently everyone agrees with it since CVE was not assigned, and nobody
released an advisory for this (while it was posted on v-s quite some time ago).

So I'd stable it on 64-bit archs and close it without GLSA.

------- Comment #10 From Gustavo Zacarias (RETIRED) 2005-12-01 05:12:17 0000 ------- 
sparc stable.

------- Comment #11 From Sune Kloppenborg Jeppesen 2005-12-02 04:12:10 0000 ------- 
RH bug is closed with Severity security. 
 
I agree on the no GLSA part.

------- Comment #12 From Markus Rothe 2005-12-02 05:15:17 0000 ------- 
stable on ppc64

------- Comment #13 From Fabian Groffen 2005-12-02 07:52:57 0000 ------- 
stable on ppc-macos

------- Comment #14 From Fabian Groffen 2005-12-02 07:53:29 0000 ------- 
sorry for the bugspam, forgot to check the checkbox

------- Comment #15 From Andrej Kacian (RETIRED) 2005-12-02 08:54:08 0000 ------- 
Stable on x86.

------- Comment #16 From Fernando J. Pereda 2005-12-02 13:22:48 0000 ------- 
Stable on alpha

Cheers,
Ferdy

------- Comment #17 From Simon Stelling (RETIRED) 2005-12-03 02:45:37 0000 ------- 
stable on amd64

------- Comment #18 From Michael Hanselmann (hansmi) (RETIRED) 2005-12-05 09:51:52 0000 ------- 
Marked stable

------- Comment #19 From Sune Kloppenborg Jeppesen 2005-12-05 12:46:23 0000 ------- 
Closing without GLSA. 
 
mips don't forget to mark stable and sorry for any bugspam.

------- Comment #20 From Joshua Kinard 2005-12-24 17:05:51 0000 ------- 
stable on mips.
First Last Prev Next    No search results available      Search page      Enter new bug