Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 78530 - net-nntp/newspost 2.1.1 buffer overflow issue (CAN-2005-0101)
Summary: net-nntp/newspost 2.1.1 buffer overflow issue (CAN-2005-0101)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://people.freebsd.org/~niels/issu...
Whiteboard: B2 [glsa] lewk
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-18 09:22 UTC by Sune Kloppenborg Jeppesen
Modified: 2005-02-02 16:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-01-18 09:22:21 UTC
An overflow exists in the socket_getline() function. This function
reads a string from the socket into a given array and is used by
the nntp_get_response function.

The problem code is:

        while (TRUE) {
                retval = read(sockfd, pi, 1);
                if(retval < 0)
                        ui_socket_error(errno);
                read_count += retval;
                pi++;
                if (buffer[i] == '\n')
                        break;
                i++;
        }

The pi array is the buffer and data is read into it until a '\n'
is received.  So to overflow the buffer one has to provide a long
string without newline characters.

Testing the overflow:
---------------------

Create a server:
perl -e 'print "A" x 1024;print "BBBBCCCCDDDDEEEE"'|  nc -v -l -p 119

Connect to it:
newspost  -s test -i localhost -f me@me.nl -n news.news  /etc/hosts

Break the connection by ^C'ing the netcat and you will see that
newspost segfaults immediately.

Fix for the problem:
--------------------

A rather simple fix would be to apply the patch below. It does the
job because all buffers handed to the socket_getline function are
STRING_BUFSIZE big.

--- base/socket.c.orig  Tue Jan 18 11:08:02 2005
+++ base/socket.c       Tue Jan 18 11:10:08 2005
@@ -126,7 +126,7 @@

        i = 0;
        pi = buffer;
-       while (TRUE) {
+       while (read_count < STRING_BUFSIZE - 1) {
                retval = read(sockfd, pi, 1);
                if(retval < 0)
                        ui_socket_error(errno);
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-18 09:23:24 UTC
Upstream has been notified of disclosure date.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-02-01 08:23:11 UTC
net-news please provide an updated ebuild. Upstream has apparently not released a fixed version.
Comment 3 Sven Wegener gentoo-dev 2005-02-01 08:52:05 UTC
net-nntp/newspost-2.0-r1
net-nntp/newspost-2.1.1-r1

with the patch in CVS and stable on x86. 2.0 is still needed because net-nntp/gnewspost depends on it.
Comment 4 Luke Macken (RETIRED) gentoo-dev 2005-02-02 16:25:43 UTC
GLSA 200502-05, thanks everyone!