Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 123782
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Stefan Cornelius (RETIRED) <dercorny@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 123782 depends on: Show dependency tree
Bug 123782 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-02-22 20:56 0000 
When feeding zoo a specially crafted archive, an attacker may be able
to trigger a stack overflow and seize control of the program.

fullpath()/misc.c accepts a pointer to a directory entry and returns the
combined directory name and filename.  fullpath() calls the function
combine()/misc.c, and assume that the length of the string returned is never
longer than 256 bytes.  In fact, the string returned can be made a little
longer than 512 bytes.

If the string is in fact longer than 256 bytes, a static variable can be
overflowed in the function fullpath()/misc.c .  This string is later used
in a strcpy() on a destination buffer of 256 bytes on the stack.

It is then easy to overwrite EIP and take control of the program.


III.    PATCH

diff -u -r -r zoo-2.10.old/misc.c zoo-2.10.orig/misc.c
--- zoo-2.10.old/misc.c 1991-07-05 12:00:00.000000000 -0400
+++ zoo-2.10.orig/misc.c        2006-01-29 17:20:35.000000000 -0500
@@ -135,11 +135,16 @@
 char *fullpath (direntry)
 struct direntry *direntry;
 {
-       static char result[PATHSIZE];
+       static char result[PATHSIZE+PATHSIZE+12]; // Room for enough space
        combine (result,
                                direntry->dirlen != 0 ?
direntry->dirname : "",
                                (direntry->namlen != 0) ? direntry->lfname :
                                direntry->fname
                          );
+
+       if (strlen (result) >= PATHSIZE) {
+               prterror ('f', "Combined dirname and filename too long\n");
+       }
+
        return (result);
 }

------- Comment #1 From Stefan Cornelius (RETIRED) 2006-02-22 20:58:35 0000 ------- 
yay, no maintainer ...

------- Comment #2 From Jonathan Smith 2006-02-23 13:15:44 0000 ------- 
i'll take it

------- Comment #3 From Jonathan Smith 2006-02-23 13:40:09 0000 ------- 
x86 stable. other archs, please stabalize 2.10-r1

------- Comment #4 From Markus Rothe 2006-02-23 23:02:32 0000 ------- 
One epatch source seems to be wrong. Here is the output:

 * Cannot find $EPATCH_SOURCE!  Value for $EPATCH_SOURCE is:
 *
 *   /var/tmp/portage/zoo-2.10-r1/work/zoo-2.10-gcc33-issues-fix.patch
 *   ( zoo-2.10-gcc33-issues-fix.patch )

epatch tries ${WORKDIR} instead of ${DISTDIR}.

------- Comment #5 From Markus Rothe 2006-02-23 23:04:37 0000 ------- 
this was already fixed in CVS. ppc64 stable now!

------- Comment #6 From Gustavo Zacarias (RETIRED) 2006-02-24 06:17:43 0000 ------- 
sparc stable.

------- Comment #7 From Thierry Carrez (RETIRED) 2006-02-26 09:25:53 0000 ------- 
Changing status

------- Comment #8 From Tobias Scherbaum 2006-02-26 10:51:51 0000 ------- 
ppc stable

------- Comment #9 From Simon Stelling (RETIRED) 2006-02-27 11:29:08 0000 ------- 
amd64 stable, and it seems alpha is already done too:

  26 Feb 2006; Bryan

------- Comment #10 From Simon Stelling (RETIRED) 2006-02-27 11:29:08 0000 ------- 
amd64 stable, and it seems alpha is already done too:

  26 Feb 2006; Bryan Østergaard <kloeri@gentoo.org zoo-2.10-r1.ebuild:
  Stable on alpha, bug 123782.

------- Comment #11 From Thierry Carrez (RETIRED) 2006-03-06 13:28:37 0000 ------- 
GLSA 200603-05
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug