| Summary: | sys-fs/xfsdump-3.0.4-r1: Buffer overflow | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Eric Grüttefien <gentoo> |
| Component: | Current packages | Assignee: | Gentoo's Team for Core System packages <base-system> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://oss.sgi.com/bugzilla/show_bug.cgi?id=876 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 259417 | ||
| Attachments: | fix buffer overflow | ||
|
Description
Eric Grüttefien
2010-08-29 09:49:53 UTC
Created attachment 245204 [details, diff]
fix buffer overflow
xfsdump creates an buffer overflow when -F is not used and the Media Erase dialog is shown. I don't know whether substituting hardcoded number with slightly larger hardcoded number is good solution. Nevertheless +1 for reporting it upstream. Next time please add link to upstream bug to URL. Thanks! doesnt seem to be a serious issue as the binaries arent set*id or anything. so let's see what upstream has to say first. since glibc fortification checks makes xfsdump wirte a core i think it is a serious issue. UPS ... it's not the change dialog it's is the media erase dialog. BIG SORRY ! @Comment 4: sprintf( question, "pre-erase (-%c) option specified " "and non-blank media encountered:\n" "please confirm media erase " "drive %u\n", GETOPT_ERASE, (unsigned int)drivep->d_index ); build a messeage with min 105 chars and max 117 chars. So "char question[ 120 ];" would be enough but i think 80 unused bytes in a "char question[ 200 ]" arn't the world an the code uses a char question[ 100 ]; also for questions with 37 used bytes. hth, Eric security issue -> it's serious just a single user crash with specific option -> not serious It's a fortification issue that we should have Portage die on, so it's "serious enough"… fix added to 3.0.5 |
