Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 123782 - app-arch/zoo: buffer overflows
Summary: app-arch/zoo: buffer overflows
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] DerCorny
Depends on:
Reported: 2006-02-22 20:56 UTC by Stefan Cornelius (RETIRED)
Modified: 2006-03-06 13:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Cornelius (RETIRED) gentoo-dev 2006-02-22 20:56:34 UTC
When feeding zoo a specially crafted archive, an attacker may be able
to trigger a stack overflow and seize control of the program.

fullpath()/misc.c accepts a pointer to a directory entry and returns the
combined directory name and filename.  fullpath() calls the function
combine()/misc.c, and assume that the length of the string returned is never
longer than 256 bytes.  In fact, the string returned can be made a little
longer than 512 bytes.

If the string is in fact longer than 256 bytes, a static variable can be
overflowed in the function fullpath()/misc.c .  This string is later used
in a strcpy() on a destination buffer of 256 bytes on the stack.

It is then easy to overwrite EIP and take control of the program.


diff -u -r -r zoo-2.10.old/misc.c zoo-2.10.orig/misc.c
--- zoo-2.10.old/misc.c 1991-07-05 12:00:00.000000000 -0400
+++ zoo-2.10.orig/misc.c        2006-01-29 17:20:35.000000000 -0500
@@ -135,11 +135,16 @@
 char *fullpath (direntry)
 struct direntry *direntry;
-       static char result[PATHSIZE];
+       static char result[PATHSIZE+PATHSIZE+12]; // Room for enough space
        combine (result,
                                direntry->dirlen != 0 ?
direntry->dirname : "",
                                (direntry->namlen != 0) ? direntry->lfname :
+       if (strlen (result) >= PATHSIZE) {
+               prterror ('f', "Combined dirname and filename too long\n");
+       }
        return (result);
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-22 20:58:35 UTC
yay, no maintainer ...
Comment 2 Jonathan Smith (RETIRED) gentoo-dev 2006-02-23 13:15:44 UTC
i'll take it
Comment 3 Jonathan Smith (RETIRED) gentoo-dev 2006-02-23 13:40:09 UTC
x86 stable. other archs, please stabalize 2.10-r1
Comment 4 Markus Rothe (RETIRED) gentoo-dev 2006-02-23 23:02:32 UTC
One epatch source seems to be wrong. Here is the output:

 * Cannot find $EPATCH_SOURCE!  Value for $EPATCH_SOURCE is:
 *   /var/tmp/portage/zoo-2.10-r1/work/zoo-2.10-gcc33-issues-fix.patch
 *   ( zoo-2.10-gcc33-issues-fix.patch )

epatch tries ${WORKDIR} instead of ${DISTDIR}.
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2006-02-23 23:04:37 UTC
this was already fixed in CVS. ppc64 stable now!
Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2006-02-24 06:17:43 UTC
sparc stable.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2006-02-26 09:25:53 UTC
Changing status
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2006-02-26 10:51:51 UTC
ppc stable
Comment 9 Simon Stelling (RETIRED) gentoo-dev 2006-02-27 11:29:08 UTC
amd64 stable, and it seems alpha is already done too:

  26 Feb 2006; Bryan 
Comment 10 Simon Stelling (RETIRED) gentoo-dev 2006-02-27 11:29:08 UTC
amd64 stable, and it seems alpha is already done too:

  26 Feb 2006; Bryan Østergaard < zoo-2.10-r1.ebuild:
  Stable on alpha, bug 123782.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2006-03-06 13:28:37 UTC
GLSA 200603-05