Bug 145527

Summary: CAN-2005-0086 less crashes on scrolling of binary files
Product: Red Hat Enterprise Linux 3 Reporter: Victor Ashik <victor>
Component: lessAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 3.0CC: bressers, karsten, pknirsch, security-response-team, shillman
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: impact=important,public=20050119
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-01-26 15:40:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Binary file consists of 1036 '\0x81' chars - testcase for less segfault
none
Expand charset[] buffer with expanding of other buffers
none
Corrected patch for expading charset[] buffer with expanding of other buffers none

Description Victor Ashik 2005-01-19 12:15:08 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
Scrolling of hdlist2 causes less to segfault.

Version-Release number of selected component (if applicable):
less-378-11

How reproducible:
Always

Steps to Reproduce:
1. Mount any RHEL3 CD1 on /mnt/cdrom and do
2. less -f /mnt/cdrom/RedHat/base/hdlist2
3. Press and hold spacebar.

Actual Results:  It will cause a segmentation fault.


Expected Results:  Scrolling till the end of file.

Additional info:

I think it is the failed assertion in first line of buffering_multi.
Comment 1 Suzanne Hillman 2005-01-19 22:34:38 UTC 
Why are you trying to run less on a binary file?
Comment 2 Victor Ashik 2005-01-20 11:24:46 UTC 
Because I like it ;-)

It may be a security problem, because after some digging with debugger
it looks like a buffer overflow.

Vulnerable pager is a very, very bad thing.
I am sorry for not giving it SECURITY flag yesterday. Giving it now.
Please, fix it.

Hint1: buffer overflows in a UTF-8 locale on a line of 0x81 bytes
longer than 1028.
Hint2: overflow seems to overwrite MULBUF* mp in multi.c
Comment 3 Victor Ashik 2005-01-20 14:12:38 UTC 
Update: in en_US.UTF-8 locale Hint1 requires more than 1035 bytes.
Comment 4 Victor Ashik 2005-01-20 14:14:26 UTC 
Created attachment 110010 [details]
Binary file consists of 1036 '\0x81' chars - testcase for less segfault
Comment 6 Josh Bressers 2005-01-20 14:40:20 UTC 
This issue could be dangerous.  Ideally this issue would be best fixed in the
next round of quarterly updates.
Comment 8 Victor Ashik 2005-01-21 11:39:58 UTC 
Created attachment 110046 [details]
Expand charset[] buffer with expanding of other buffers

Found the error. We are expanding linebuf[] and attr[] buffers in
expand_linebuf(), line.c:90, but forgetting to expand charset[] buffer.
Comment 9 Victor Ashik 2005-01-21 12:49:46 UTC 
Comment on attachment 110046 [details]
Expand charset[] buffer with expanding of other buffers

The patch is not perfect.

calloc for charset should allocate sizeof(CHARSET) blocks and returned pointer
sould be converted to (CHARSET*)
Comment 10 Victor Ashik 2005-01-21 12:52:13 UTC 
Created attachment 110048 [details]
Corrected patch for expading charset[] buffer with expanding of other buffers

Corrected types in calloc line. Now it works.
Comment 11 Jindrich Novy 2005-01-24 10:18:51 UTC 
Victor, thanks for the patch. The fix is confirmed and patch is now added to CVS.
Comment 12 Victor Ashik 2005-01-24 10:24:29 UTC 
Thanks for a job well done.
Comment 15 Josh Bressers 2005-01-25 14:27:50 UTC 
I've done some investigating on this issue.  This problem is caused by
a patch we apply to the RHEL3 less.  It does not affect the original
version, or any upstream versions I've tried.
Comment 16 Josh Bressers 2005-01-26 15:40:20 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-068.html