Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 335115 - sys-fs/xfsdump-3.0.4-r1: Buffer overflow
Summary: sys-fs/xfsdump-3.0.4-r1: Buffer overflow
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo's Team for Core System packages
Depends on:
Blocks: fortify-source
  Show dependency tree
Reported: 2010-08-29 09:49 UTC by Eric Grüttefien
Modified: 2011-04-12 17:56 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

fix buffer overflow (buffer_overflow_media_erase.patch,436 bytes, patch)
2010-08-29 09:51 UTC, Eric Grüttefien
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Grüttefien 2010-08-29 09:49:53 UTC
Buffer overflow in media change dialog
Comment 1 Eric Grüttefien 2010-08-29 09:51:19 UTC
Created attachment 245204 [details, diff]
fix buffer overflow
Comment 2 Eric Grüttefien 2010-08-29 09:53:25 UTC
xfsdump creates an buffer overflow when -F is not used and the Media Erase dialog is shown.
Comment 3 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2010-08-29 11:22:09 UTC
I don't know whether substituting hardcoded number with slightly larger hardcoded number is good solution. Nevertheless +1 for reporting it upstream. Next time please add link to upstream bug to URL. Thanks!
Comment 4 SpanKY gentoo-dev 2010-08-29 22:22:50 UTC
doesnt seem to be a serious issue as the binaries arent set*id or anything.  so let's see what upstream has to say first.
Comment 5 Eric Grüttefien 2010-08-30 11:03:51 UTC
since glibc fortification checks makes xfsdump wirte a core i think it is a serious issue.

UPS ...  it's not the change dialog it's is the media erase dialog. BIG SORRY !
Comment 6 Eric Grüttefien 2010-08-30 11:18:40 UTC
@Comment 4:

	sprintf( question,
		 "pre-erase (-%c) option specified "
		 "and non-blank media encountered:\n"
		 "please confirm media erase "
		 "drive %u\n",
		 (unsigned int)drivep->d_index );

build a messeage with min 105 chars and max 117 chars. So "char question[ 120 ];" would be enough but i think 80 unused bytes in a "char question[ 200 ]" arn't the world an the code uses a char question[ 100 ]; also for questions with 37 used bytes.


Comment 7 SpanKY gentoo-dev 2010-08-30 17:10:41 UTC
security issue -> it's serious

just a single user crash with specific option -> not serious
Comment 8 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-09-18 11:41:10 UTC
It's a fortification issue that we should have Portage die on, so it's "serious enough"…
Comment 9 SpanKY gentoo-dev 2011-04-12 17:56:31 UTC
fix added to 3.0.5