Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 84680
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: rob holland (RETIRED) <tigger@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 84680 depends on: 82737 Show dependency tree
Bug 84680 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-03-09 16:30 0000 
a char * overflowable in rxvt with an escape code + text sequence.

doing:
$ cat evil_file

Overflows the string buffer in command.C:3539

Should be exploitable fairly easily. You can write whatever you like to 6144 bytes on the stack after the end of the allocated space for the string variable.

Fix is below:

--- command.C.orig	2005-03-10 01:18:28.180103872 +0000
+++ command.C	2005-03-10 01:18:43.840723096 +0000
@@ -3559,7 +3559,7 @@
 
       seen_esc = false;
 
-      if (n >= sizeof (string) - 1)
+      if ((n * sizeof(*string)) >= sizeof (string) - 1)
         // stop at some sane length
         return NULL;

Every version we carry is vulnerable.

$ perl -e 'print "^[P" . ("x" x 5000)' > /tmp/evil_file
$ cat /tmp/evil_file

gotta sleep now so haven't looked into this/thought about consequences as much as I might. will look at it again tomorrow.

------- Comment #1 From rob holland (RETIRED) 2005-03-10 02:07:55 0000 ------- 
taviso pointed out that I was on drugs (well, very tired) and that not very
version we carry is vulnerable. The problem exists in the ebuilded versions for
4.8 and higher, no stable versions are affected. The patch is against 4.7 but
should apply happily to other versions (probably with an offset).

This is a shiney new version of the fix which should perform better (every time
a esc+P is received...woo-hoo...) and also avoids the chance of integer
promotion problems by fixing up the type of n.

Fix was discussed/developed with help from Yoann Vandoorselaere. Any bugs are
mine.

rob@leet /tmp/rxvt-unicode-4.7/src $ diff -u command.C command.C.new 
--- command.C   2004-12-29 19:09:31.000000000 +0000
+++ command.C.new       2005-03-10 10:53:09.696945440 +0000
@@ -3535,7 +3535,7 @@
 {
   unicode_t ch;
   bool seen_esc = false;
-  unsigned int n = 0;
+  size_t n = 0;
   wchar_t string[STRING_MAX];

   while ((ch = cmd_getc ()) != NOCHAR)
@@ -3559,7 +3559,7 @@

       seen_esc = false;

-      if (n >= sizeof (string) - 1)
+      if (n >= (sizeof (string) / sizeof(*string)))
         // stop at some sane length
         return NULL;

------- Comment #2 From Tavis Ormandy (RETIRED) 2005-03-10 02:15:53 0000 ------- 
confirmed in >=4.8, that patch fixes the issue here.

Current stable version is unaffected. 

Good catch Rob :)

------- Comment #3 From rob holland (RETIRED) 2005-03-10 04:37:55 0000 ------- 
emailed upstream and cc'd security@g.o

------- Comment #4 From Sune Kloppenborg Jeppesen 2005-03-10 11:07:23 0000 ------- 
Thx Rob.

Mamoru please fix unstable versions if upstream does not release a fixed version soon.

------- Comment #5 From Mamoru KOMACHI (RETIRED) 2005-03-13 03:43:59 0000 ------- 
(Sorry I'm now in Taiwan and replying late)
I'm not maintaining x11-terms/rxvt-unicode but x11-terms/rxvt.
latexer: could you have a look at it? thanks.

------- Comment #6 From rob holland (RETIRED) 2005-03-13 05:15:59 0000 ------- 
upstream are releasing a fixed version after cebit :)

------- Comment #7 From rob holland (RETIRED) 2005-03-13 05:29:02 0000 ------- 
My patch mistakenly drops something it shouldn't. Corrected path below:

rob@leet /tmp/rxvt-unicode-4.7/src $ diff -u command.C command.C.new 
--- command.C	2004-12-29 19:09:31.000000000 +0000
+++ command.C.new	2005-03-10 10:53:09.696945440 +0000
@@ -3535,7 +3535,7 @@
 {
   unicode_t ch;
   bool seen_esc = false;
-  unsigned int n = 0;
+  size_t n = 0;
   wchar_t string[STRING_MAX];
 
   while ((ch = cmd_getc ()) != NOCHAR)
@@ -3559,7 +3559,7 @@
 
       seen_esc = false;
 
-      if (n >= sizeof (string) - 1)
+      if (n >= ((sizeof (string) / sizeof(*string)) - 1))
         // stop at some sane length
         return NULL;

Upstream pointed this out, so they are aware ;)

------- Comment #8 From Ciaran McCreesh 2005-03-14 07:41:48 0000 ------- 
I added 5.3 to the tree, which should contain the fixes. KEYWORDS are ~x86
~sparc ~amd64 ~ppc. Note that ~mips is stuck at 5.1 pending bug #82737 (just a
use.mask).

------- Comment #9 From Thierry Carrez (RETIRED) 2005-03-15 06:51:39 0000 ------- 
Release public @ http://dist.schmorp.de/rxvt-unicode/Changes
4.8 is affected and stable on ppc so it's not ~, we need a GLSA.

ppc: please test and mark x11-terms/rxvt-unicode-5.3 stable

------- Comment #10 From Jochen Maes (RETIRED) 2005-03-15 08:12:45 0000 ------- 
stable on ppc

------- Comment #11 From Luke Macken (RETIRED) 2005-03-15 15:51:06 0000 ------- 
Ready for GLSA.

------- Comment #12 From Thierry Carrez (RETIRED) 2005-03-18 00:40:07 0000 ------- 
This is CAN-2005-0764

------- Comment #13 From Sune Kloppenborg Jeppesen 2005-03-20 08:53:47 0000 ------- 
GLSA drafted. The CVE id apparently is not reserved yet.

------- Comment #14 From Sune Kloppenborg Jeppesen 2005-03-20 12:14:35 0000 ------- 
GLSA 200503-23
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug