46998 2004-04-06 14:33 0000 <=app-arch/sharutils-4.2.1-r8 - Multiple command line vulnerabilities. 2004-05-20 14:15:58 0000 1 1 1 Unclassified Gentoo Security GLSA Errors unspecified All Linux RESOLVED FIXED SECURITY P2 normal --- 1 ruth@gentoo.org security@gentoo.org arch-maintainers@gentoo.org base-system@gentoo.org ruth@gentoo.org 2004-04-06 14:33:44 0000 from bugtraq@securityfocus.com: ... Details ######## A stack-based buffer overflow vulnerability exists in the popular 'shar' utility packaged in the GNU sharutils distribution, due to lack of bounds checking when handling the '-o' command-line option. During the command-line argument parsing routine, when the '-o' flag is encountered, 'shar' performs a 'strcpy()' call to blindly copy the user-supplied argument after '-o' without bounds checking, into a fixed length buffer, output_base_name, which has only 50 allocated to it. ... Solution ######### I contacted the vendor, GNU, and received no response within 4 1/2 days. Although this issue isn't to be considered a serious security threat, there are instances where this can be exploited by a would-be attacker to execute code, such as in the circumstances suggested above (cgi script, sXid program, etc). Therefore, it would be considered good practice to apply the fix regardless of whether your system is likely to be compromised as a result of the issue. I have written a simple patch below to fix the buffer overflow bug: --- shar-bof.patch --- --- shar.1.c 2004-04-06 16:26:55.000000000 +0100 +++ shar.c 2004-04-06 16:32:32.000000000 +0100 @@ -1905,7 +1905,7 @@ break; case 'o': - strcpy (output_base_name, optarg); + strncpy (output_base_name, optarg, sizeof(output_base_name)); if (!strchr (output_base_name, '%')) strcat (output_base_name, ".%02d"); part_number = 0; --- EOF --- ... above text is a snippet from the bugtraq maillist. Apply the patch, and rebuild: --- bash# patch < shar-bof.patch && make && make install so long rootshell Reproducible: Always Steps to Reproduce: 1. 2. 3. vapier@gentoo.org 2004-04-06 14:56:02 0000 sharutils-4.2.1-r8 has this patch i dont think we need a GLSA as this doesnt seem to have any exploitable-ness to it ... koon@gentoo.org 2004-04-07 08:48:29 0000 4.2.1-r8 must be stable before we get into GLSA process. Resetting component to Security. vapier@gentoo.org 2004-04-07 15:46:08 0000 i tested on x86 / sparc / hppa so those are stable now agriffis@gentoo.org 2004-04-07 18:55:10 0000 alpha and ia64 are stable kumba@gentoo.org 2004-04-07 21:31:25 0000 Stable on mips. solar@gentoo.org 2004-04-08 02:35:06 0000 sharutils-4.2.1-r8 bug update. Currently in cvs portage tree as. KEYWORDS="x86 ~amd64 ~ppc sparc alpha hppa ia64 ~ppc64 s390 mips" Adding amd64 & ppc to this bug. I would think this would fall under the "good practice" vs GLSA and thus the 'Severity' could be lowered from critical to normal. Users can usually walk all over themselves from the command line. avenj@gentoo.org 2004-04-08 07:36:51 0000 Marked stable on amd64 solar@gentoo.org 2004-04-09 07:22:14 0000 While adding another patch to the sharutils bug that Florian had sent us in mail, I noticed that the code lacked bounds checking a few lines below in the same -o option. --- 1907,1912 ---- case 'o': strcpy (output_base_name, optarg); + memset(output_base_name, '\0', sizeof(output_base_name)); + strncpy (output_base_name, optarg, sizeof(output_base_name)-1); if (!strchr (output_base_name, '%')) strcat (output_base_name, ".%02d"); As we can see we can fill the string up to sizeof(blah)-1 but what if the string contains a format identifier? It will overflow right again. Not only will it overflow but we have the full makings here of a format string vuln. Check it out.. solar@simple sharutils $ shar -o `perl -e 'print "%p" x 54'` solar@simple sharutils $ ls solar@simple sharutils $ shar -o `perl -e 'print "%p" x 54'` shar: No input files Try `shar --help' for more information. solar@simple sharutils $ ls 0x10x2e80f0200x30356230x5e2e60c80x2e8e1dd70x30x5e2e62a40xe25c7dd0xe25ecc00xe25eff00xe25f1e00xe25f2120x5e2e62580xe258dcd0xe25f1e00x250x320xe25ecc0(nil)0x2e82dd500x2e8253f00x2e80fb200x30x2e80fda80x2e80eff8 # fun with all the format identifiers... shar -o `perl -e 'print "%d" x 54'` shar -o `perl -e 'print "%s" x 54'` It's safe to say this is not fixed and new patch should be created. solar@gentoo.org 2004-04-13 13:26:10 0000 I'm reviewing this patch shortly. http://marc.theaimsgroup.com/?l=bugtraq&m=108164583423126&w=2 solar@gentoo.org 2004-04-13 14:43:23 0000 Ok patch works for the -o format string problem. But while looking over other areas of code in sharutils I found what looks like more undesired voodoo.. Actually quite a bit of it. This thing needs either a complete rewrite or a full audit in my opinion. Neither of which I intend to do.. (Volunteers Welcome) I also can't make heads/tails of who to exactly mail upstream about all this. klieber@gentoo.org 2004-04-20 04:43:43 0000 OK, the only semi-relevant email address I can find is bug-gnu-utils@prep.ai.mit.edu, which is listed in the README included with the sharutils sources. I contacted them and asked them to look at our bug here and provide some sort of response. (and hopefully a patch) klieber@gentoo.org 2004-04-20 04:52:03 0000 OK, Google proved its worth once more. The current active address for bug-gnu-utils seems to be bug-gnu-utils@gnu.org. Looking at the archives[1] for the mailing list, it appears there are two semi-active maintainers of sharutils; Karl Eichwalder <keichwa@gmx.net> and Paul Eggert <eggert@twinsun.com>. Solar -- since you're most familiar with the issues you've found in sharutils (outside of the -o issue) would you mind emailing these folks and asking for their input? [1]http://mail.gnu.org/archive/html/bug-gnu-utils/ solar@gentoo.org 2004-04-23 01:01:31 0000 mail sent. solar@gentoo.org 2004-05-15 09:38:26 0000 Created an attachment (id=31485) command line handling From: Karl Eichwalder <ke@gnu.franken.de To: solar@gentoo.org Cc: eggert@twinsun.com Subject: Re: <=app-arch/sharutils-4.2.1-r8 - Multiple command line vulnerabilities. Date: Sat, 15 May 2004 11:19:19 +0200 Thanks for the info; I'm going to add tht appended patch supplied by Suse Linux. My sharutils CVS is here: http://developer.berlios.de/projects/sharutils/ - if one of you wants to become a "developer" or a "project admin" please drop me a line. 2004-05-15 Karl Eichwalder <ke@gnu.franken.de> * shar.c (open_output): Fix command line handling; reported by Ned Ludd: http://bugs.gentoo.org/show_bug.cgi?id=46998 Use patch supplied by Michael Schr solar@gentoo.org 2004-05-15 09:38:26 0000 Created an attachment (id=31485) command line handling From: Karl Eichwalder <ke@gnu.franken.de To: solar@gentoo.org Cc: eggert@twinsun.com Subject: Re: <=app-arch/sharutils-4.2.1-r8 - Multiple command line vulnerabilities. Date: Sat, 15 May 2004 11:19:19 +0200 Thanks for the info; I'm going to add tht appended patch supplied by Suse Linux. My sharutils CVS is here: http://developer.berlios.de/projects/sharutils/ - if one of you wants to become a "developer" or a "project admin" please drop me a line. 2004-05-15 Karl Eichwalder <ke@gnu.franken.de> * shar.c (open_output): Fix command line handling; reported by Ned Ludd: http://bugs.gentoo.org/show_bug.cgi?id=46998 Use patch supplied by Michael Schröder: http://bugzilla.suse.de [#39122, password protected]. solar@gentoo.org 2004-05-15 09:55:03 0000 Updated existing patch in portage tree but revision bumped to force updates. sharutils-4.2.1-r9.ebuild: KEYWORDS="~x86 ~amd64 ~ppc ~sparc ~alpha ~hppa ~ia64 ~ppc64 ~s390 ~mips" koon@gentoo.org 2004-05-15 10:59:14 0000 arch-maintainers : please mark stable on all arches (except arm) gustavoz@gentoo.org 2004-05-15 11:27:50 0000 Marked stable on sparc. gmsoft@gentoo.org 2004-05-15 13:12:31 0000 Marked stable on hppa. kumba@gentoo.org 2004-05-15 13:18:03 0000 Marked stable on mips. avenj@gentoo.org 2004-05-15 13:27:08 0000 Stable on amd64 and x86 kloeri@gentoo.org 2004-05-15 13:54:49 0000 Stable on alpha. lu_zero@gentoo.org 2004-05-15 18:51:16 0000 Stable on ppc koon@gentoo.org 2004-05-16 03:15:45 0000 Ready for a GLSA draft solar@gentoo.org 2004-05-16 10:08:17 0000 Send a GLSA if you want. But please note that further auditing should be done on sharutils. koon@gentoo.org 2004-05-16 10:10:30 0000 GLSA drafted for the case we need it... koon@gentoo.org 2004-05-20 14:15:58 0000 Not really exploitable so closed without GLSA. 31485 2004-05-15 09:38 0000 command line handling attachment.diff text/plain SW5kZXg6IHNyYy9zaGFyLmMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQpSQ1MgZmlsZTogL2hvbWUva2UvY3Zzcm9vdC9z aGFydXRpbHMvc3JjL3NoYXIuYyx2CnJldHJpZXZpbmcgcmV2aXNpb24gMS4yMgpkaWZmIC11IC1y MS4yMiBzaGFyLmMKLS0tIHNyYy9zaGFyLmMJMiBEZWMgMjAwMiAyMDo1MjoxMCAtMDAwMAkxLjIy CisrKyBzcmMvc2hhci5jCTE1IE1heSAyMDA0IDA5OjEzOjE2IC0wMDAwCkBAIC0yNTUsMTEgKzI1 NSwxMSBAQAogLyogUG9zaXRpb24gZm9yIGZpcnN0IGZpbGUgaW4gdGhlIHNoYXIgZmlsZS4gICov CiBzdGF0aWMgb2ZmX3QgZmlyc3RfZmlsZV9wb3NpdGlvbjsKIAotLyogQmFzZSBmb3Igb3V0cHV0 IGZpbGVuYW1lLiAgRklYTUU6IE5vIGZpeCBsaW1pdCBpbiBHTlUuLi4gKi8KLXN0YXRpYyBjaGFy IG91dHB1dF9iYXNlX25hbWVbNTBdOworLyogQmFzZSBmb3Igb3V0cHV0IGZpbGVuYW1lLiAgKi8K K3N0YXRpYyBjaGFyICpvdXRwdXRfYmFzZV9uYW1lOwogCi0vKiBBY3R1YWwgb3V0cHV0IGZpbGVu YW1lLiAgRklYTUU6IE5vIGZpeCBsaW1pdCBpbiBHTlUuLi4gKi8KLXN0YXRpYyBjaGFyIG91dHB1 dF9maWxlbmFtZVs1MF07CisvKiBBY3R1YWwgb3V0cHV0IGZpbGVuYW1lLiAgKi8KK3N0YXRpYyBj aGFyICpvdXRwdXRfZmlsZW5hbWU7CiAKIHN0YXRpYyBjaGFyICpzdWJtaXR0ZXJfYWRkcmVzcyA9 IE5VTEw7CiAKQEAgLTE3MjcsNyArMTcyNywxMiBAQAogc3RhdGljIHZvaWQKIG9wZW5fb3V0cHV0 ICgpCiB7Ci0gIHNwcmludGYgKG91dHB1dF9maWxlbmFtZSwgb3V0cHV0X2Jhc2VfbmFtZSwgKytw YXJ0X251bWJlcik7CisgIHNpemVfdCBsOworICBsID0gc3RybGVuKG91dHB1dF9iYXNlX25hbWUp ICsgMTI4OworICBpZiAob3V0cHV0X2ZpbGVuYW1lKQorICAgIGZyZWUob3V0cHV0X2ZpbGVuYW1l KTsKKyAgb3V0cHV0X2ZpbGVuYW1lID0geG1hbGxvYyhsKTsKKyAgc25wcmludGYob3V0cHV0X2Zp bGVuYW1lLCBsLCBvdXRwdXRfYmFzZV9uYW1lLCArK3BhcnRfbnVtYmVyKTsKICAgb3V0cHV0ID0g Zm9wZW4gKG91dHB1dF9maWxlbmFtZSwgInciKTsKICAgaWYgKCFvdXRwdXQpCiAgICAgZXJyb3Ig KEVYSVRfRkFJTFVSRSwgZXJybm8sIF8oIk9wZW5pbmcgYCVzJyIpLCBvdXRwdXRfZmlsZW5hbWUp OwpAQCAtMTkwNyw2ICsxOTEyLDQyIEBACiAgICAgZmlsZV9zaXplX2xpbWl0ID0gbGltOwogfQog CisKK2NoYXIgKnBhcnNlX291dHB1dF9iYXNlX25hbWUoY2hhciAqYXJnKQoreworICBpbnQgYzsK KyAgaW50IGhhZGFyZyA9IDA7CisgIGNoYXIgKmZtdCwgKnA7CisKKyAgZm9yIChwID0gYXJnIDsg KGMgPSAqcCsrKSAhPSAwOyApCisgICAgeworICAgICAgaWYgKGMgIT0gJyUnKQorCWNvbnRpbnVl OworICAgICAgYyA9ICpwKys7CisgICAgICBpZiAoYyA9PSAnJScpCisJY29udGludWU7CisgICAg ICBpZiAoaGFkYXJnKQorCXJldHVybiAwOworICAgICAgd2hpbGUgKGMgIT0gMCAmJiBzdHJjaHIo IiMwKy0gJ0kiLCBjKSAhPSAwKQorCWMgPSAqcCsrOworICAgICAgd2hpbGUgKGMgIT0gMCAmJiBj ID49ICcwJyAmJiBjIDw9ICc5JykKKwljID0gKnArKzsKKyAgICAgIGlmIChjID09ICcuJykKKwlj ID0gKnArKzsKKyAgICAgIHdoaWxlIChjICE9IDAgJiYgYyA+PSAnMCcgJiYgYyA8PSAnOScpCisJ YyA9ICpwKys7CisgICAgICBpZiAoYyA9PSAwIHx8IHN0cmNocigiZGlvdXhYIiwgYykgPT0gMCkK KwlyZXR1cm4gMDsKKyAgICAgIGhhZGFyZyA9IDE7CisgICAgfQorICBmbXQgPSB4bWFsbG9jKHN0 cmxlbihhcmcpICsgKGhhZGFyZyA/IDEgOiA2KSk7CisgIHN0cmNweShmbXQsIGFyZyk7CisgIGlm ICghaGFkYXJnKQorICAgIHN0cmNhdChmbXQsICIuJTAyZCIpOworICByZXR1cm4gZm10OworfQor CisKIC8qLS0tLgogfCA/ICB8CiBgLS0tKi8KQEAgLTIwNDcsOSArMjA4OCwxNCBAQAogCWJyZWFr OwogCiAgICAgICBjYXNlICdvJzoKLQlzdHJjcHkgKG91dHB1dF9iYXNlX25hbWUsIG9wdGFyZyk7 Ci0JaWYgKCFzdHJjaHIgKG91dHB1dF9iYXNlX25hbWUsICclJykpCi0JICBzdHJjYXQgKG91dHB1 dF9iYXNlX25hbWUsICIuJTAyZCIpOworCWlmIChvdXRwdXRfYmFzZV9uYW1lKQorCSAgZnJlZSAo b3V0cHV0X2Jhc2VfbmFtZSk7CisgICAgICAgIG91dHB1dF9iYXNlX25hbWUgPSBwYXJzZV9vdXRw dXRfYmFzZV9uYW1lKG9wdGFyZyk7CisgICAgICAgIGlmICghb3V0cHV0X2Jhc2VfbmFtZSkKKwkg IHsKKwkgICAgZnByaW50ZiAoc3RkZXJyLCBfKCJpbGxlZ2FsIG91dHB1dCBwcmVmaXhcbiIpKTsK KwkgICAgZXhpdCAoRVhJVF9GQUlMVVJFKTsKKwkgIH0KIAlwYXJ0X251bWJlciA9IDA7CiAJb3Bl bl9vdXRwdXQgKCk7CiAJYnJlYWs7Cg==