Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 78530

Summary: net-nntp/newspost 2.1.1 buffer overflow issue (CAN-2005-0101)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: net-news
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://people.freebsd.org/~niels/issues/newspost-20050114.txt
Whiteboard: B2 [glsa] lewk
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-18 09:22:21 UTC 
An overflow exists in the socket_getline() function. This function
reads a string from the socket into a given array and is used by
the nntp_get_response function.

The problem code is:

        while (TRUE) {
                retval = read(sockfd, pi, 1);
                if(retval < 0)
                        ui_socket_error(errno);
                read_count += retval;
                pi++;
                if (buffer[i] == '\n')
                        break;
                i++;
        }

The pi array is the buffer and data is read into it until a '\n'
is received.  So to overflow the buffer one has to provide a long
string without newline characters.

Testing the overflow:
---------------------

Create a server:
perl -e 'print "A" x 1024;print "BBBBCCCCDDDDEEEE"'|  nc -v -l -p 119

Connect to it:
newspost  -s test -i localhost -f me@me.nl -n news.news  /etc/hosts

Break the connection by ^C'ing the netcat and you will see that
newspost segfaults immediately.

Fix for the problem:
--------------------

A rather simple fix would be to apply the patch below. It does the
job because all buffers handed to the socket_getline function are
STRING_BUFSIZE big.

--- base/socket.c.orig  Tue Jan 18 11:08:02 2005
+++ base/socket.c       Tue Jan 18 11:10:08 2005
@@ -126,7 +126,7 @@

        i = 0;
        pi = buffer;
-       while (TRUE) {
+       while (read_count < STRING_BUFSIZE - 1) {
                retval = read(sockfd, pi, 1);
                if(retval < 0)
                        ui_socket_error(errno);
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-18 09:23:24 UTC 
Upstream has been notified of disclosure date.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-01 08:23:11 UTC 
net-news please provide an updated ebuild. Upstream has apparently not released a fixed version.
Comment 3 Sven Wegener gentoo-dev 2005-02-01 08:52:05 UTC 
net-nntp/newspost-2.0-r1
net-nntp/newspost-2.1.1-r1

with the patch in CVS and stable on x86. 2.0 is still needed because net-nntp/gnewspost depends on it.
Comment 4 Luke Macken (RETIRED) gentoo-dev 2005-02-02 16:25:43 UTC 
GLSA 200502-05, thanks everyone!