Bug 145527
Summary: | CAN-2005-0086 less crashes on scrolling of binary files | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 3 | Reporter: | Victor Ashik <victor> |
Component: | less | Assignee: | Jindrich Novy <jnovy> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 3.0 | CC: | bressers, karsten, pknirsch, security-response-team, shillman |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | impact=important,public=20050119 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-01-26 15:40:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Attachments: |
Description
Victor Ashik
2005-01-19 12:15:08 UTC
Why are you trying to run less on a binary file? Because I like it ;-) It may be a security problem, because after some digging with debugger it looks like a buffer overflow. Vulnerable pager is a very, very bad thing. I am sorry for not giving it SECURITY flag yesterday. Giving it now. Please, fix it. Hint1: buffer overflows in a UTF-8 locale on a line of 0x81 bytes longer than 1028. Hint2: overflow seems to overwrite MULBUF* mp in multi.c Update: in en_US.UTF-8 locale Hint1 requires more than 1035 bytes. Created attachment 110010 [details]
Binary file consists of 1036 '\0x81' chars - testcase for less segfault
This issue could be dangerous. Ideally this issue would be best fixed in the next round of quarterly updates. Created attachment 110046 [details]
Expand charset[] buffer with expanding of other buffers
Found the error. We are expanding linebuf[] and attr[] buffers in
expand_linebuf(), line.c:90, but forgetting to expand charset[] buffer.
Comment on attachment 110046 [details]
Expand charset[] buffer with expanding of other buffers
The patch is not perfect.
calloc for charset should allocate sizeof(CHARSET) blocks and returned pointer
sould be converted to (CHARSET*)
Created attachment 110048 [details]
Corrected patch for expading charset[] buffer with expanding of other buffers
Corrected types in calloc line. Now it works.
Victor, thanks for the patch. The fix is confirmed and patch is now added to CVS. Thanks for a job well done. I've done some investigating on this issue. This problem is caused by a patch we apply to the RHEL3 less. It does not affect the original version, or any upstream versions I've tried. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-068.html |