Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 340253 - dev-libs/libtar _FORTIFY_SOURCE indicates presence of overflow
Summary: dev-libs/libtar _FORTIFY_SOURCE indicates presence of overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: fortify-source
  Show dependency tree
 
Reported: 2010-10-09 12:16 UTC by Diego Elio Pettenò (RETIRED)
Modified: 2011-02-11 21:10 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Build log (libtar-1.2.11-r3:20101009-083108.log,20.66 KB, text/plain)
2010-10-09 12:16 UTC, Diego Elio Pettenò (RETIRED)
Details
Fix buffer overflow on ustar magic field (libtar-1.2.11-magic-overflow.patch,351 bytes, patch)
2011-01-29 19:56 UTC, Kevin McCarthy (RETIRED)
Details | Diff
ebuild to apply the magic overflow patch (libtar-1.2.11-r4.ebuild,1.27 KB, text/plain)
2011-01-29 19:57 UTC, Kevin McCarthy (RETIRED)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Diego Elio Pettenò (RETIRED) gentoo-dev 2010-10-09 12:16:01 UTC
You're receiving this bug because the package in Summary has produced _FORTIFY_SOURCE related warnings indicating the presence of a sure overflow in a static buffer.

Even though this is not always an indication of a security problem it might even be. So please check this out ASAP.

By the way, _FORTIFY_SOURCE is disabled when you disable optimisation, so don't try finding out the cause using -O0.

Thanks,
Your friendly neighborhood tinderboxer
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-10-09 12:16:13 UTC
Created attachment 250013 [details]
Build log
Comment 2 Kevin McCarthy (RETIRED) gentoo-dev 2011-01-29 19:56:58 UTC
Created attachment 261035 [details, diff]
Fix buffer overflow on ustar magic field
Comment 3 Kevin McCarthy (RETIRED) gentoo-dev 2011-01-29 19:57:25 UTC
Created attachment 261036 [details]
ebuild to apply the magic overflow patch
Comment 4 Kevin McCarthy (RETIRED) gentoo-dev 2011-01-29 20:00:43 UTC
In encode.c there was an attempt to strncpy the 8 character string "ustar  " into a 6 character field in the ustar header. The ustar format calls for a 6 character field that contains "ustar" terminated by a null, so I've changed it to that.
Comment 5 Samuli Suominen gentoo-dev 2011-02-11 21:10:23 UTC
applied in -r4