Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 65773 - app-arch/sharutils - 2 buffer overflows
Summary: app-arch/sharutils - 2 buffer overflows
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
: 65846 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-09-29 00:23 UTC by Florian Schilhabel (RETIRED)
Modified: 2011-10-30 22:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
... the patch (sharutils-gentoo.diff,1.92 KB, patch)
2004-09-29 00:25 UTC, Florian Schilhabel (RETIRED)
no flags Details | Diff
the revised (working !!!) patch (gentoo-patch.diff,1.93 KB, patch)
2004-09-29 06:16 UTC, Florian Schilhabel (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schilhabel (RETIRED) gentoo-dev 2004-09-29 00:23:29 UTC
hi,
attached is a patch, that fixes 2 buffer overflows in app-arch/sharutils:

the first one was discovered by ulf harnhammar;
see:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=265904
for details.
while looking through the code, i discovered one more overflow:
try this:
bash-2.05# unshar `perl -e 'print "A"x1500'`/tmp/testing
unshar: /home/flo/AA[A*x]AAA/tmp/testingSegmentation fault (core dumped)
attached patch fixes all two problems.

best regards
florian [rootshell]
Comment 1 Florian Schilhabel (RETIRED) gentoo-dev 2004-09-29 00:25:30 UTC
Created attachment 40686 [details, diff]
... the patch
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-29 01:07:32 UTC
Mike you did one of the previous security fixes please do it again.

Also this package lacks metadata.xml.
Comment 3 Florian Schilhabel (RETIRED) gentoo-dev 2004-09-29 02:04:53 UTC
Comment on attachment 40686 [details, diff]
... the patch

>diff -Naur ./sharutils-4.2.1/src/shar.c ./sharutils-4.2.1_new/src/shar.c
>--- ./sharutils-4.2.1/src/shar.c	1999-09-10 21:20:41.000000000 +0200
>+++ ./sharutils-4.2.1_new/src/shar.c	2004-09-29 09:06:06.782294248 +0200
>@@ -1571,7 +1571,7 @@
> 	  sprintf (command, "%s '%s'", CHARACTER_COUNT_COMMAND, local_name);
> 	  if (pfp = popen (command, "r"), pfp)
> 	    {
>-	      char wc[BUFSIZ];
>+		char wc[BUFSIZ], tempform[50];      
> 	      const char *prefix = "";
> 
> 	      if (did_md5)
>@@ -1579,8 +1579,8 @@
> 		  fputs ("  else\n", output);
> 		  prefix = "  ";
> 		}
>-
>-	      fscanf (pfp, "%s", wc);
>+	sprintf (tempform, "%%%ds", BUFSIZ - 1);
>+	fscanf (pfp, tempform, wc);
> 	      fprintf (output, "\
> %s  shar_count=\"`%s '%s'`\"\n\
> %s  test %s -eq \"$shar_count\" ||\n\
>diff -Naur ./sharutils-4.2.1/src/unshar.c ./sharutils-4.2.1_new/src/unshar.c
>--- ./sharutils-4.2.1/src/unshar.c	1995-11-21 17:22:14.000000000 +0100
>+++ ./sharutils-4.2.1_new/src/unshar.c	2004-09-29 09:06:12.216468128 +0200
>@@ -346,8 +346,8 @@
> {
>   size_t size_read;
>   FILE *file;
>-  char name_buffer[NAME_BUFFER_SIZE];
>-  char copy_buffer[NAME_BUFFER_SIZE];
>+  char name_buffer[NAME_BUFFER_SIZE] = {'\0'};
>+  char copy_buffer[NAME_BUFFER_SIZE] = {'\0'};
>   int optchar;
> 
>   program_name = argv[0];
>@@ -409,14 +409,15 @@
>   if (optind < argc)
>     for (; optind < argc; optind++)
>       {
>-	if (argv[optind][0] == '/')
>-	  stpcpy (name_buffer, argv[optind]);
>-	else
>-	  {
>-	    char *cp = stpcpy (name_buffer, current_directory);
>-	    *cp++ = '/';
>-	    stpcpy (cp, argv[optind]);
>-	  }
>+	if (argv[optind][0] == '/') {
>+		strncpy (name_buffer, argv[optind], sizeof(name_buffer));
>+		name_buffer[sizeof(name_buffer)-1] = '\0';
>+	}
>+	else {

>>> snprintf(name_buffer, sizeof(name_buffer),"%s/%s", current_directory, argv[optind]);
>>> name_buffer[sizeof(name_buffer)-1] = '\0';

>+	}
> 	if (file = fopen (name_buffer, "r"), !file)
> 	  error (EXIT_FAILURE, errno, name_buffer);
> 	unarchive_shar_file (name_buffer, file);
Comment 4 SpanKY gentoo-dev 2004-09-29 05:41:56 UTC
please post an additional attachment instead of trying to edit it ... bugzilla mangles the patch horribly otherwise :/
Comment 5 Florian Schilhabel (RETIRED) gentoo-dev 2004-09-29 06:16:12 UTC
Created attachment 40702 [details, diff]
the revised (working !!!) patch
Comment 6 SpanKY gentoo-dev 2004-09-29 07:22:46 UTC
updated patch looks sane to me; added to 4.2.1-r10
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-09-29 08:37:44 UTC
Arches, please mark 4.2.1-r10 stable
Comment 8 Olivier Crete (RETIRED) gentoo-dev 2004-09-29 08:42:13 UTC
-r10 wont build here.. it asks for app-arch/sharutils/files/sharutils-4.2.1-r6-gentoo.diff which doesnt exist.. should it point to sharutils-4.2.1-gentoo.patch or is it something else you forgot to commit ?
Comment 9 solar (RETIRED) gentoo-dev 2004-09-29 09:57:39 UTC
Note: 
There are far more than just 2 problem areas in sharutils. When I last reviewed it I saw some many problem areas that I just gave up and said this thing needs a complete rewrite. So if you guys are going to do a GLSA I _really_ suggest you look quite a bit closer at the code. Also due to the nature of sharutils it's probably best to work with upstream on this package.
Comment 10 Patrick Fourniols 2004-09-29 10:00:10 UTC
app-arch/sharutils/files/sharutils-4.2.1-r6-gentoo.diff is deleted by portage
emerge sync
...
deleting app-arch/sharutils/files/sharutils-4.2.1-r6-gentoo.diff
Comment 11 Olivier Crete (RETIRED) gentoo-dev 2004-09-29 10:33:02 UTC
vapier renamed the patch without fixing -r10.. I fixed it.. Holding off a little before marking it x86... Can anyone look at the other problems solar mentionned ?
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-09-29 11:32:11 UTC
Hmm dunno what to do about this package. It has no Gentoo maintainer, it has no clear upstream maintainer, and it's full of various flaws.

Like solar said, it's not the first time we patch something in there (see bug 46998) and it needs a thorough audit. But unless someone volunteers to audit this package and coordinate fixes with upstream (see bug 46998 for pointers), it's probably better to patch vulnerabilities as they are found.
Comment 13 SpanKY gentoo-dev 2004-09-29 11:56:53 UTC
last upstream release was in 1999

to me that says this package is dead upstream (just like so many GNU utils)

maybe someday, out of the blue, a maintainer will step up ... but for now, none exist
Comment 14 Simon Stelling (RETIRED) gentoo-dev 2004-09-29 12:04:33 UTC
so what do we do now? test it and mark it stable or take it out of cvs?
Comment 15 SpanKY gentoo-dev 2004-09-29 12:31:12 UTC
why would we take it out of cvs ?

marked amd64/arm/hppa/ia64/s390 stable
Comment 16 SpanKY gentoo-dev 2004-09-29 12:32:00 UTC
ppc stable now too
Comment 17 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-29 12:41:46 UTC
sparc stable then...
Comment 18 Olivier Crete (RETIRED) gentoo-dev 2004-09-29 14:36:19 UTC
Stable on x86 too then...
Comment 19 Bryan Østergaard (RETIRED) gentoo-dev 2004-09-29 14:44:46 UTC
Stable on alpha.
Comment 20 SpanKY gentoo-dev 2004-09-30 05:53:45 UTC
*** Bug 65846 has been marked as a duplicate of this bug. ***
Comment 21 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-09-30 16:03:18 UTC
What depends on sharutils?

jaervosz asked me to review the GLSA draft, but frankly given solar's comment I would prefer pulling it out entirely.  Is this feasible?

If that's not a good option, for whatever reason, I'll go ahead and review, but someone (possi/probably me, if I have the time) really should conduct a more thorough security audit.
Comment 22 SpanKY gentoo-dev 2004-09-30 17:20:37 UTC
this package isnt going anywhere, stop thinking about removing it

it's one of those old school standard utilities ... shar archives arent as popular anymore, but go back in time and they were pretty heavily used
Comment 23 Thierry Carrez (RETIRED) gentoo-dev 2004-10-01 05:29:07 UTC
GLSA 200410-01
Comment 24 Joshua Kinard gentoo-dev 2004-10-02 06:33:27 UTC
Stable on mips.
Comment 25 Tom Gall (RETIRED) gentoo-dev 2004-10-09 19:26:38 UTC
stable on ppc64, thanks!
Comment 26 Ulf Harnhammar 2004-10-21 07:53:13 UTC
There is a 4.3.77 version out now, that fixes lots of buffer overflows. Perhaps you could package that?

I don't think that version is 100% perfect either. I'll do a thorough audit of it, when I get the time.

// Ulf Harnhammar
   Debian Security Audit Project