When feeding zoo a specially crafted archive, an attacker may be able to trigger a stack overflow and seize control of the program. fullpath()/misc.c accepts a pointer to a directory entry and returns the combined directory name and filename. fullpath() calls the function combine()/misc.c, and assume that the length of the string returned is never longer than 256 bytes. In fact, the string returned can be made a little longer than 512 bytes. If the string is in fact longer than 256 bytes, a static variable can be overflowed in the function fullpath()/misc.c . This string is later used in a strcpy() on a destination buffer of 256 bytes on the stack. It is then easy to overwrite EIP and take control of the program. III. PATCH diff -u -r -r zoo-2.10.old/misc.c zoo-2.10.orig/misc.c --- zoo-2.10.old/misc.c 1991-07-05 12:00:00.000000000 -0400 +++ zoo-2.10.orig/misc.c 2006-01-29 17:20:35.000000000 -0500 @@ -135,11 +135,16 @@ char *fullpath (direntry) struct direntry *direntry; { - static char result[PATHSIZE]; + static char result[PATHSIZE+PATHSIZE+12]; // Room for enough space combine (result, direntry->dirlen != 0 ? direntry->dirname : "", (direntry->namlen != 0) ? direntry->lfname : direntry->fname ); + + if (strlen (result) >= PATHSIZE) { + prterror ('f', "Combined dirname and filename too long\n"); + } + return (result); }
yay, no maintainer ...
i'll take it
x86 stable. other archs, please stabalize 2.10-r1
One epatch source seems to be wrong. Here is the output: * Cannot find $EPATCH_SOURCE! Value for $EPATCH_SOURCE is: * * /var/tmp/portage/zoo-2.10-r1/work/zoo-2.10-gcc33-issues-fix.patch * ( zoo-2.10-gcc33-issues-fix.patch ) epatch tries ${WORKDIR} instead of ${DISTDIR}.
this was already fixed in CVS. ppc64 stable now!
sparc stable.
Changing status
ppc stable
amd64 stable, and it seems alpha is already done too: 26 Feb 2006; Bryan
amd64 stable, and it seems alpha is already done too: 26 Feb 2006; Bryan Østergaard <kloeri@gentoo.org zoo-2.10-r1.ebuild: Stable on alpha, bug 123782.
GLSA 200603-05
