123782 2006-02-22 20:56 0000 app-arch/zoo: buffer overflows 2006-03-06 13:28:37 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B2 [glsa] DerCorny P2 normal --- 1 dercorny@gentoo.org security@gentoo.org smithj@gentoo.org dercorny@gentoo.org 2006-02-22 20:56:34 0000 When feeding zoo a specially crafted archive, an attacker may be able to trigger a stack overflow and seize control of the program. fullpath()/misc.c accepts a pointer to a directory entry and returns the combined directory name and filename. fullpath() calls the function combine()/misc.c, and assume that the length of the string returned is never longer than 256 bytes. In fact, the string returned can be made a little longer than 512 bytes. If the string is in fact longer than 256 bytes, a static variable can be overflowed in the function fullpath()/misc.c . This string is later used in a strcpy() on a destination buffer of 256 bytes on the stack. It is then easy to overwrite EIP and take control of the program. III. PATCH diff -u -r -r zoo-2.10.old/misc.c zoo-2.10.orig/misc.c --- zoo-2.10.old/misc.c 1991-07-05 12:00:00.000000000 -0400 +++ zoo-2.10.orig/misc.c 2006-01-29 17:20:35.000000000 -0500 @@ -135,11 +135,16 @@ char *fullpath (direntry) struct direntry *direntry; { - static char result[PATHSIZE]; + static char result[PATHSIZE+PATHSIZE+12]; // Room for enough space combine (result, direntry->dirlen != 0 ? direntry->dirname : "", (direntry->namlen != 0) ? direntry->lfname : direntry->fname ); + + if (strlen (result) >= PATHSIZE) { + prterror ('f', "Combined dirname and filename too long\n"); + } + return (result); } dercorny@gentoo.org 2006-02-22 20:58:35 0000 yay, no maintainer ... smithj@gentoo.org 2006-02-23 13:15:44 0000 i'll take it smithj@gentoo.org 2006-02-23 13:40:09 0000 x86 stable. other archs, please stabalize 2.10-r1 corsair@gentoo.org 2006-02-23 23:02:32 0000 One epatch source seems to be wrong. Here is the output: * Cannot find $EPATCH_SOURCE! Value for $EPATCH_SOURCE is: * * /var/tmp/portage/zoo-2.10-r1/work/zoo-2.10-gcc33-issues-fix.patch * ( zoo-2.10-gcc33-issues-fix.patch ) epatch tries ${WORKDIR} instead of ${DISTDIR}. corsair@gentoo.org 2006-02-23 23:04:37 0000 this was already fixed in CVS. ppc64 stable now! gustavoz@gentoo.org 2006-02-24 06:17:43 0000 sparc stable. koon@gentoo.org 2006-02-26 09:25:53 0000 Changing status dertobi123@gentoo.org 2006-02-26 10:51:51 0000 ppc stable blubb@gentoo.org 2006-02-27 11:29:08 0000 amd64 stable, and it seems alpha is already done too: 26 Feb 2006; Bryan blubb@gentoo.org 2006-02-27 11:29:08 0000 amd64 stable, and it seems alpha is already done too: 26 Feb 2006; Bryan Østergaard <kloeri@gentoo.org zoo-2.10-r1.ebuild: Stable on alpha, bug 123782. koon@gentoo.org 2006-03-06 13:28:37 0000 GLSA 200603-05