73858 2004-12-08 18:25 0000 sys-apps/ed produces incorrect output (bug 66400 redux) 2005-01-09 12:39:57 0000 1 1 1 Unclassified Gentoo Linux Core system unspecified All Linux RESOLVED FIXED http://savannah.gnu.org/patch/index.php?func=detailitem&item_id=3628 P2 critical --- 66400 1 robbat2@gentoo.org base-system@gentoo.org security@gentoo.org ulm@gentoo.org robbat2@gentoo.org 2004-12-08 18:25:29 0000 Since the security fix in bug #66400 was applied to ed, it no longer produces a correct output file if the stderr file description is closed. Instead it produces a corrupted output file. If the patch from #66400 is NOT used, then the bug does not occur. Reproducible: Always Steps to Reproduce: see attached test script files. Actual Results: if stderr is closed when ed runs, the output file is corrupted when the 'write' command is run in ed. Expected Results: The output file should not be corrupted. Portage 2.0.51-r3 (!/usr/portage/profiles/default-linux/x86/2004.3, gcc-3.3.5, glibc-2.3.4.20041102-r0, 2.6.7-mm4 i686) ================================================================= System uname: 2.6.7-mm4 i686 AMD Athlon(tm) XP 2400+ Gentoo Base System version 1.6.6 distcc 2.18 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [enabled] Autoconf: sys-devel/autoconf-2.59-r5 Automake: sys-devel/automake-1.8.5-r1 Binutils: sys-devel/binutils-2.15.92.0.2-r1 Headers: sys-kernel/linux26-headers-2.6.8.1-r1 Libtools: sys-devel/libtool-1.5.2-r7 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-march=athlon-xp -mcpu=athlon-xp -O3 -pipe" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/s hare/config /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/ dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/c onfig/ /usr/share/texmf/xdvi/ /var/bind /var/qmail/alias /var/qmail/control /var /vpopmail/domains /var/vpopmail/etc" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=athlon-xp -mcpu=athlon-xp -O3 -pipe" DISTDIR="/usr/gentoo-distfiles" FEATURES="autoaddcvs autoconfig buildpkg ccache confcache cvs digest distcc distlocks sandbox sfperms sign userpriv" GENTOO_MIRRORS="http://gentoo.ccccom.com http://gentoo.seren.com/gentoo" MAKEOPTS="-j1" PKGDIR="/usr/gentoo-packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/gentoo-cvs/gentoo-x86" PORTDIR_OVERLAY="/usr/local/portage" SYNC="" USE="3dnow aalib acl acpi alsa amd apache2 apm berkdb bitmap-fonts cdr cgi clearpasswd crypt cscope cups curl divx4linux f77 fam foomaticdb fortran gd gdbm geoip gif imagemagick imap innodb ipalias ipv6 java jikes jpeg junit libwww mad maildir mcal md5sum mikmod mmx mpeg multitarget mysql ncurses offensive pam pcap pdflib perl pic plotutils png pnp ppds python qmail readline samba scanner slp snmp socks5 spell sqlite sse ssl tetex tiff truetype type1 ungif usb userlocales v4l v4l2 x86 xml xml2 xvid zlib" robbat2@gentoo.org 2004-12-08 18:27:53 0000 Created an attachment (id=45580) edtest.cpp Source code for testing binary. robbat2@gentoo.org 2004-12-08 18:28:24 0000 Created an attachment (id=45581) dotest.sh Script file to run test case and prove the error. koon@gentoo.org 2004-12-22 04:26:40 0000 Here is the patch (from LFS) that was applied by base-system to fix the vulnerability : ============================================================ --- ed-0.2/buf.c Sat Nov 19 04:37:59 1994 +++ ed-0.2-2/buf.c Tue May 28 18:38:23 2002 @@ -200,13 +200,13 @@ int open_sbuf () { - char *mktemp (); - int u; + int u, sfd; isbinary = newline_added = 0; u = umask(077); strcpy (sfn, "/tmp/ed.XXXXXX"); - if (mktemp (sfn) == NULL || (sfp = fopen (sfn, "w+")) == NULL) + sfd = mkstemp(sfn); + if ((sfd == -1) || (sfp = fopen (sfn, "w+")) == NULL) { fprintf (stderr, "%s: %s\n", sfn, strerror (errno)); sprintf (errmsg, "Cannot open temp file"); ============================================================= I fail to see where it introduces a regression, since apparently it just switched a mktemp for a mkstemp. Maybe someone more literate on those issues will find where it fails... robbat2@gentoo.org 2004-12-23 02:42:56 0000 The error in your patch is that mkstemp returns a file descriptor for an OPEN file already (eg it runs fopen on the file). so: + sfd = mkstemp(sfn); + if ((sfd == -1) || (sfp = fopen (sfn, "w+")) == NULL) if mkstemp returns a good value, and then "sfp = fopen (sfn, "w+")" is run, opening the file again. vapier@gentoo.org 2004-12-23 13:49:11 0000 - if ((sfd == -1) || (sfp = fopen (sfn, "w+")) == NULL) + if (sfd == -1) so this patch will fix it ? ulm@gentoo.org 2004-12-27 03:18:25 0000 This wouldn't work, since not a file descriptor, but a FILE pointer is needed. However, I believe the patch from LFS is incorrect. Not fopen should be called, but fdopen on the descriptor: - if ((sfd == -1) || (sfp = fopen (sfn, "w+")) == NULL) + if ((sfd == -1) || (sfp = fdopen (sfd, "w+")) == NULL) vapier@gentoo.org 2004-12-27 05:37:23 0000 true ... robbat2, that patch looks much more sane, does that resolve this for you ? robbat2@gentoo.org 2005-01-09 02:50:32 0000 Ok, your patch change there to use fdopen fixes the problem. I've put it in the tree as r5, but arches need to stabilize. The changed patch should probably be sent upstream. vapier@gentoo.org 2005-01-09 12:31:12 0000 marked stable ;) 45580 2004-12-08 18:27 0000 edtest.cpp edtest.cpp text/plain Ly8gZWR0ZXN0LmNwcAojaW5jbHVkZSA8c3RkaW8uaD4KI2luY2x1ZGUgPHN0ZGxpYi5oPgojaW5j bHVkZSA8dGltZS5oPgojaW5jbHVkZSA8dW5pc3RkLmg+CiNpbmNsdWRlIDx3YWl0Lmg+CmludCBt YWluKGludCBhcmdjLCBjaGFyKiogYXJndikgewoJaW50IHBbMl07CgkvL3ByaW50ZigiWzBdIG1h a2luZyBhIHBpcGVcbiIpOwoJcGlwZShwKTsKCWNoYXIqIGZpbGVuYW1lID0gYXJndlsxXTsKCS8v cHJpbnRmKCJbMF0gZm9ya2luZ1xuIik7CglwaWRfdCBjcGlkID0gZm9yaygpOwoJaWYoY3BpZCA9 PSAtMSkgewoJCWZwcmludGYoc3RkZXJyLCJmb3JrIGZhaWxlZFxuIik7CgkJZXhpdCgyKTsKCX0K CWlmKGNwaWQgPT0gMCkgewoJCS8vcHJpbnRmKCJbMV0gY2xvc2luZyBmZHNcbiIpOwoJCWNsb3Nl KDApOwoJCWNsb3NlKDEpOwojaWZuZGVmIFdPUktJTkcKCQljbG9zZSgyKTsgLy8gaWYgeW91IGNv bW1lbnQgb3V0IHRoaXMgbGluZSwgdGhlIHByb2dyYW0gd29ya3MgZmluZQojZW5kaWYKCQlkdXAy KHBbMF0sIDApOwoKCQkvL3ByaW50ZigiWzFdIGV4ZWNscCBcbiIpOwoJCWV4ZWNscCgiZWQiLCAi ZWQiLCBmaWxlbmFtZSwgMCk7CgkJZXhpdCgxKTsgLy8gd2Ugb25seSByZWFjaCBoZXJlIGluIGNh c2Ugb2YgYW4gZXJyb3IhCgl9CgkvL3ByaW50ZigiWzBdIG9wZW5pbmcgcGlwZVxuIik7CglGSUxF ICpjbWQgPSBmZG9wZW4ocFsxXSwgInciKTsKCS8vcHJpbnRmKCJbMF0gc2VuZGluZyBjb21tYW5k c1xuIik7CglmcHJpbnRmKGNtZCwgIixzL2hlbGxvL2dvb2RieWUvZ1xuIik7CglmcHJpbnRmKGNt ZCwgIndcbiIpOwoJZnByaW50ZihjbWQsICJRXG4iKTsKCS8vcHJpbnRmKCJbMF0gZmx1c2hpbmcg Y29tbWFuZHNcbiIpOwoJZmZsdXNoKGNtZCk7CglpbnQgc3RhdHVzOwoJLy9wcmludGYoIlswXSBj aGVja2luZyBzdGF0dXMgXG4iKTsKCXdhaXRwaWQoMCwgJnN0YXR1cywgMCk7CglpZihXSUZFWElU RUQoc3RhdHVzKSkgewoJCWZwcmludGYoc3RkZXJyLCAiZWQgcmV0dmFsPSVkXG4iLFdFWElUU1RB VFVTKHN0YXR1cykpOwoJfSBlbHNlIHsKCQlmcHJpbnRmKHN0ZGVyciwgImVkIHRlcm1pbmF0ZWQg YWJub3JtYWxseVxuIik7Cgl9CglyZXR1cm4gMDsKfQo= 45581 2004-12-08 18:28 0000 dotest.sh dotest.sh text/plain IyEvYmluL3NoCkYxPS90bXAvdGVzdGZpbGUud29ya2luZwpGMj0vdG1wL3Rlc3RmaWxlLmJyb2tl bgoKc2hvd2NvbnRlbnRzKCkgewoJZj0iJDEiCgllY2hvIC1lICJDb250ZW50cyBvZiAkZlxuLS0t IgoJY2F0ICRmCgllY2hvICItLS0iCn0KZWNobyAiQ29tcGlsaW5nIGJpbmFyaWVzIgpnKysgLVdh bGwgZWR0ZXN0LmNwcCAtbyBlZHRlc3Qud29ya2luZyAtRFdPUktJTkcKZysrIC1XYWxsIGVkdGVz dC5jcHAgLW8gZWR0ZXN0LmJyb2tlbgoKZWNobyAiIyMjIElucHV0IHRvIHdvcmtpbmcgYmluYXJ5 IgplY2hvIGhlbGxvID4kRjEKc2hvd2NvbnRlbnRzICRGMQplY2hvICIjIyMgUnVubmluZyB3b3Jr aW5nIGJpbmFyeSIKLi9lZHRlc3Qud29ya2luZyAkRjEKZWNobyAiIyMjIE91dHB1dCBmcm9tIHdv cmtpbmcgYmluYXJ5IgpzaG93Y29udGVudHMgJEYxCgoKZWNobyAiIyMjIElucHV0IHRvIGJyb2tl biBiaW5hcnkiCmVjaG8gaGVsbG8gPiRGMgpzaG93Y29udGVudHMgJEYyCmVjaG8gIiMjIyBSdW5u aW5nIGJyb2tlbiBiaW5hcnkiCi4vZWR0ZXN0LmJyb2tlbiAkRjIKZWNobyAiIyMjIE91dHB1dCBm cm9tIGJyb2tlbiBiaW5hcnkiCnNob3djb250ZW50cyAkRjIKCg==