Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 573574 - <app-portage/portage-utils-0.62: qfile: stack buffer overflow when using -f/--from
Summary: <app-portage/portage-utils-0.62: qfile: stack buffer overflow when using -f/-...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 573106 584984
Blocks:
  Show dependency tree
 
Reported: 2016-02-01 10:17 UTC by Agostino Sarubbo
Modified: 2017-01-29 07:12 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Asan output (file_573574.txt,9.42 KB, text/plain)
2016-02-01 10:17 UTC, Agostino Sarubbo
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-02-01 10:17:44 UTC
Created attachment 424390 [details]
Asan output

I discovered that a crafted file is causing a stack OOB.


Crafted file: http://dev.gentoo.org/~ago/qfile-OOB-crash.log
Comment 1 SpanKY gentoo-dev 2016-02-01 17:42:33 UTC
where exactly are you putting this file ?  qfile doesn't read specific files like qlop's -f flag, so it's not clear what you're doing.  please describe in full how to reproduce.
Comment 2 Agostino Sarubbo gentoo-dev 2016-02-03 11:51:44 UTC
(In reply to SpanKY from comment #1)
> where exactly are you putting this file ?  qfile doesn't read specific files
> like qlop's -f flag, so it's not clear what you're doing.  please describe
> in full how to reproduce.

qfile --help reports:
  -f, --from     <arg> * Read arguments from file <arg> ("-" for stdin)                                                                                                                                                                                                        

SO:

ago@willoughby /tmp $ echo "/bin/nano" > emerge.log
ago@willoughby /tmp $ qfile -f emerge.log                                                                                                                                                                                                                                      
app-editors/nano (/bin/nano)
Comment 3 SpanKY gentoo-dev 2016-02-03 18:02:29 UTC
oh, for argv processing.  no one uses that flag :p.  i think i'll just delete it and see if anyone complains.
Comment 4 Agostino Sarubbo gentoo-dev 2016-02-04 09:09:27 UTC
(In reply to SpanKY from comment #3)
> oh, for argv processing.  no one uses that flag :p.  i think i'll just
> delete it and see if anyone complains.

You are free to delete it, but did you do a survey to know that no one uses it? :D
Comment 5 SpanKY gentoo-dev 2016-02-04 17:41:10 UTC
(In reply to Agostino Sarubbo from comment #4)

if someone misses it, they'll file a bug for me
Comment 6 SpanKY gentoo-dev 2016-02-04 18:01:52 UTC
dropped it here:
https://gitweb.gentoo.org/proj/portage-utils.git/commit/?id=070f64a84544f74ad633f08c9c07f99a06aea551

commit message also explains how to trivially replace all uses of `qfile -f` with `xargs -a ... qfile`.
Comment 7 Agostino Sarubbo gentoo-dev 2016-02-05 10:09:17 UTC
well, do you mind to make a new upstream version so we can stabilize that?
it will fix also bug 573106.

Thanks
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-02-15 05:14:03 UTC
Is this ready to go stable?
Comment 10 SpanKY gentoo-dev 2016-03-28 04:57:31 UTC
stabilizing through bug 573106
Comment 11 Ulrich Müller gentoo-dev 2016-06-06 15:57:32 UTC
So instead of fixing it, you just remove the option, breaking reverse dependencies? Nice.
Comment 12 SpanKY gentoo-dev 2016-06-06 18:44:03 UTC
(In reply to Ulrich Müller from comment #11)

the option was not well written in the first place, both internally and externally.  read the details in comment 6.

the fact it wasn't failing in the edge cases for you was purely a happy accident.  that isn't how one writes reliable/good tooling.
Comment 13 Ulrich Müller gentoo-dev 2016-06-07 13:02:59 UTC
(In reply to SpanKY from comment #6)
> commit message also explains how to trivially replace all uses of `qfile -f`
> with `xargs -a ... qfile`.

BTW, that won't work on all systems because the -a option is a GNU extension. (xargs with input redirection can be used, of course.)
Comment 14 Rick Farina (Zero_Chaos) gentoo-dev 2016-06-14 18:37:37 UTC
might want to actually remove it from the manual too...
Comment 15 SpanKY gentoo-dev 2016-06-15 05:01:51 UTC
(In reply to Ulrich Müller from comment #13)

as a practical matter, i don't think that's terribly relevant.  we pretty much require GNU/findutils in the tree, so if you're building things, you have it.

(In reply to Rick Farina (Zero_Chaos) from comment #14)

that's what we get for writing documentation ;)

https://gitweb.gentoo.org/proj/portage-utils.git/commit/?id=3fb265e0863689e3e352fc6abcedc77a262323f2
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2016-12-07 09:15:56 UTC
@maintainer(s), please clean the vulnerable versions from the tree.

While there is no PoC, it is safest to clean the vulnerable versions.  We will close this as [noglsa] due to the lack of such proof.  If anyone wants this audited then please reopen and assign to the auditing team.
Comment 17 Aaron Bauman (RETIRED) gentoo-dev 2017-01-01 11:27:16 UTC
bump for cleanup.
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2017-01-24 08:51:36 UTC
https://github.com/gentoo/gentoo/pull/3620
Comment 19 Aaron Bauman (RETIRED) gentoo-dev 2017-01-29 07:12:41 UTC
Tree is clean