Summary: | sys-apps/file Buffer overflow (CVE-2007-2799) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | lars, sgtphou, solar |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241022 | ||
Whiteboard: | A2 [glsa] jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
Sune Kloppenborg Jeppesen (RETIRED)
2007-05-23 21:04:49 UTC
I got this email earlier today and my first thought was dupe :) *** This bug has been marked as a duplicate of bug 171452 *** It's not a dupe. The patch for CVE-2007-1536 introduced another issue. Information from Redhat bug: Colin Percival discovered that the fix for CVE-2007-1536 created an integer overflow flaw in file. This new flaw has been assigned CVE-2007-2799. Here is the information from Colin: + len = ms->o.size - ms->o.left; + /* * 4 is for octal representation, + 1 is for NUL */ + psize = len * 4 + 1; + assert(psize > len); On a 32-bit system, if len is 1.35GB, len * 4 + 1 = 5.4GB == 1.4GB, so the assert will pass. The buffer will then be overflowed (by as much as the attacker wants, although of course he'll run into unwriteable addresses eventually). This looks pretty exploitable... I think the right solution is to apply - assert(psize > len); + if (len > (SIZE_T_MAX - 1) / 4) { + file_oomem(ms); + return NULL; + } and add #include <limits.h> to the top (in place of the #include <assert.h> which the earlier patch adds). This needs to be fixed. The fix for the last two bumps were bogus. Somewhat a shame fbsd had to figure this out and our own people did not. Credits to the fbsd team. file-4.21 is in portage Thx Mike. Arches please test and mark stable. Target keywords are: file-4.21.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd" Stable for HPPA. x86/amd64 stable alpha/ia64 stable ppc64 stable ppc stable sparc stable. 200705-25, thanks everybody mips stable. *** Bug 181099 has been marked as a duplicate of this bug. *** |