Bug 123230

Summary: Buffer overflow in handling of -o option
Product: [Fedora] Fedora Reporter: Leonard den Ottolander <leonard-rh-bugzilla>
Component: sharutilsAssignee: Than Ngo <than>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 1CC: mjc
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-05-21 15:01:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Option -o patch none

Description Leonard den Ottolander 2004-05-14 16:09:40 UTC 
Shaun Colley discovered a buffer overflow in sharutils <= 2.5.5 when
using the -o option.

See http://www.spinics.net/lists/bugtraq/msg11869.html and
http://www.spinics.net/lists/bugtraq/msg11898.html for details.
Comment 1 Leonard den Ottolander 2004-05-14 16:12:58 UTC 
Oops. That must be sharutils <= 4.2.1. Must have gotten 2.5.5. from
another package that I was looking at earlier.
Comment 2 Leonard den Ottolander 2004-05-14 16:15:28 UTC 
Created attachment 100229 [details]
Option -o patch

Patch taken from SuSE 9.0 sharutils-4.2c-718.src.rpm. Modified header so it
patches using -p1 instead of -p0.

Note that the patch in the original announcement
(http://www.spinics.net/lists/bugtraq/msg11869.html) is incorrect (see
http://www.spinics.net/lists/bugtraq/msg11898.html).
Comment 3 Mark J. Cox 2004-05-17 11:50:23 UTC 
Downgrading severity; buffer overflow in non setuid/gid program.
Comment 4 Leonard den Ottolander 2004-05-18 12:26:59 UTC 
I am not aware of the criteria you use for this. Are these described
somewhere? They seem to be different from the explanation of
"Severity" in the bugzilla form help.

I must say that if this can be (remotely) exploited to gain a shell it
might be used as a stepping stone to exploit an unplugged local root
exploit. It should be fixed asap.
Comment 5 Than Ngo 2004-05-21 15:01:52 UTC 
it's now fixed in sharutils-4_2_1-19, which will be showed up in
rawhide soon
Comment 6 Leonard den Ottolander 2004-05-21 19:14:44 UTC 
What kind of version is that, 4_2_1? Are the underscores here to stay?

With rawhide you also mean FC1 testing? Or are you just releasing it
for FC2?