Bug 1165296

Summary: afpfs-ng crashes because of incorrect paramater (bogus patch)
Product: [Fedora] Fedora Reporter: Hubert Figuiere <hub+rhbz>
Component: afpfs-ngAssignee: Lubomir Rintel <lkundrak>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 21CC: lkundrak
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Fixed In Version: afpfs-ng-0.8.1-13.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-07 01:25:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Description Flags
afpfs-ng-0.8.1-formatsec.patch none

Description Hubert Figuiere 2014-11-18 18:51:05 UTC
See bug 1036982 for the source of the problem

Description of problem:
mount_afp crashes.

Version-Release number of selected component (if applicable):

How reproducible:
All the time

Steps to Reproduce:
1. $ mount_afp afp://foo/Music Music

Actual results:

zsh: segmentation fault (core dumped)  mount_afp afp://foo/Music Music

Expected results:

no crash

Additional info:


replace snprintf by strncat without checking the paramaters are in order.

snprintf(..., ...., "%s", ...) instead of strncat().

Had you tested it you'd know.

Comment 1 Hubert Figuiere 2014-11-18 18:55:51 UTC
strncpy() would work too.

And if you really want to be secure, the size parameter is supposed to be the size of the destination, not the size from the source.

Comment 2 Hubert Figuiere 2014-11-18 19:06:06 UTC
Also it should be noted that you ignored the compiler warnings too:

 gcc -DHAVE_CONFIG_H -I. -I.. -D_FILE_OFFSET_BITS=64 -I../include -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -c status.c  -fPIC -DPIC -o .libs/libafpclient_la-status.o
afp_url.c: In function 'afp_parse_url':
afp_url.c:236:2: warning: passing argument 2 of 'strncat' makes pointer from integer without a cast


Comment 3 Hubert Figuiere 2014-11-24 20:56:54 UTC
Created attachment 960937 [details]

Here the fixed version of the patch (not of a diff of the patch but just afpfs-ng-0.8.1-formatsec.patch as found in SOURCES).

It fixes what the other patch broke. There is plenty of other things upstream that should be fixed too.

Please apply this urgently.

Comment 4 Fedora Update System 2014-11-25 23:10:33 UTC
afpfs-ng-0.8.1-18.fc21 has been submitted as an update for Fedora 21.

Comment 5 Fedora Update System 2014-11-25 23:11:44 UTC
afpfs-ng-0.8.1-13.fc20 has been submitted as an update for Fedora 20.

Comment 6 Hubert Figuiere 2014-11-25 23:31:45 UTC
Thank you kindly.

Comment 7 Fedora Update System 2014-11-27 08:36:52 UTC
Package afpfs-ng-0.8.1-13.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing afpfs-ng-0.8.1-13.fc20'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2015-01-07 01:25:18 UTC
afpfs-ng-0.8.1-18.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2015-01-07 01:26:27 UTC
afpfs-ng-0.8.1-13.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.