Bug 123782 - app-arch/zoo: buffer overflows
Bug#: 123782 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: dercorny@gentoo.org
Component: Vulnerabilities
URL: 
Summary: app-arch/zoo: buffer overflows
Keywords:  
Status Whiteboard: B2 [glsa] DerCorny
Opened: 2006-02-22 20:56 0000
Description:   Opened: 2006-02-22 20:56 0000 
When feeding zoo a specially crafted archive, an attacker may be able
to trigger a stack overflow and seize control of the program.

fullpath()/misc.c accepts a pointer to a directory entry and returns the
combined directory name and filename.  fullpath() calls the function
combine()/misc.c, and assume that the length of the string returned is never
longer than 256 bytes.  In fact, the string returned can be made a little
longer than 512 bytes.

If the string is in fact longer than 256 bytes, a static variable can be
overflowed in the function fullpath()/misc.c .  This string is later used
in a strcpy() on a destination buffer of 256 bytes on the stack.

It is then easy to overwrite EIP and take control of the program.


III.    PATCH

diff -u -r -r zoo-2.10.old/misc.c zoo-2.10.orig/misc.c
--- zoo-2.10.old/misc.c 1991-07-05 12:00:00.000000000 -0400
+++ zoo-2.10.orig/misc.c        2006-01-29 17:20:35.000000000 -0500
@@ -135,11 +135,16 @@
 char *fullpath (direntry)
 struct direntry *direntry;
 {
-       static char result[PATHSIZE];
+       static char result[PATHSIZE+PATHSIZE+12]; // Room for enough space
        combine (result,
                                direntry->dirlen != 0 ?
direntry->dirname : "",
                                (direntry->namlen != 0) ? direntry->lfname :
                                direntry->fname
                          );
+
+       if (strlen (result) >= PATHSIZE) {
+               prterror ('f', "Combined dirname and filename too long\n");
+       }
+
        return (result);
 }

------- Comment #1 From Stefan Cornelius (RETIRED) 2006-02-22 20:58:35 0000 ------- 
yay, no maintainer ...

------- Comment #2 From Jonathan Smith 2006-02-23 13:15:44 0000 ------- 
i'll take it

------- Comment #3 From Jonathan Smith 2006-02-23 13:40:09 0000 ------- 
x86 stable. other archs, please stabalize 2.10-r1

------- Comment #4 From Markus Rothe 2006-02-23 23:02:32 0000 ------- 
One epatch source seems to be wrong. Here is the output:

 * Cannot find $EPATCH_SOURCE!  Value for $EPATCH_SOURCE is:
 *
 *   /var/tmp/portage/zoo-2.10-r1/work/zoo-2.10-gcc33-issues-fix.patch
 *   ( zoo-2.10-gcc33-issues-fix.patch )

epatch tries ${WORKDIR} instead of ${DISTDIR}.

------- Comment #5 From Markus Rothe 2006-02-23 23:04:37 0000 ------- 
this was already fixed in CVS. ppc64 stable now!

------- Comment #6 From Gustavo Zacarias (RETIRED) 2006-02-24 06:17:43 0000 ------- 
sparc stable.

------- Comment #7 From Thierry Carrez (RETIRED) 2006-02-26 09:25:53 0000 ------- 
Changing status

------- Comment #8 From Tobias Scherbaum 2006-02-26 10:51:51 0000 ------- 
ppc stable

------- Comment #9 From Simon Stelling (RETIRED) 2006-02-27 11:29:08 0000 ------- 
amd64 stable, and it seems alpha is already done too:

  26 Feb 2006; Bryan

------- Comment #10 From Simon Stelling (RETIRED) 2006-02-27 11:29:08 0000 ------- 
amd64 stable, and it seems alpha is already done too:

  26 Feb 2006; Bryan Østergaard <kloeri@gentoo.org zoo-2.10-r1.ebuild:
  Stable on alpha, bug 123782.

------- Comment #11 From Thierry Carrez (RETIRED) 2006-03-06 13:28:37 0000 ------- 
GLSA 200603-05