Bug 1563939
| Summary: | arpwatch buffer overflow on long DNS name | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ian Donaldson <idonaldson0> |
| Component: | arpwatch | Assignee: | Ben Beasley <code> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 31 | CC: | code, mlichvar |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | arpwatch-2.1a15-48.fc33 arpwatch-2.1a15-48.fc32 arpwatch-2.1a15-48.fc31 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-05 01:02:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ian Donaldson
2018-04-05 05:45:46 UTC
The following patch seems to work:
*** db.c.orig Sun Oct 1 10:39:58 2000
--- db.c Thu Apr 5 15:52:56 2018
***************
*** 41,46 ****
--- 41,47 ----
#include <string.h>
#include <syslog.h>
#include <unistd.h>
+ #include <limits.h>
#include "gnuc.h"
#ifdef HAVE_OS_PROTO_H
***************
*** 62,68 ****
/* Ethernet info */
struct einfo {
u_char e[6]; /* ether address */
! char h[34]; /* simple hostname */
time_t t; /* timestamp */
};
--- 63,69 ----
/* Ethernet info */
struct einfo {
u_char e[6]; /* ether address */
! char h[HOST_NAME_MAX+1];/* simple hostname */
time_t t; /* timestamp */
};
***************
*** 283,290 ****
BCOPY(e, ep->e, 6);
if (h == NULL && !initializing)
h = getsname(a);
! if (h != NULL && !isdigit((int)*h))
! strcpy(ep->h, h);
ep->t = t;
return (ep);
}
--- 284,293 ----
BCOPY(e, ep->e, 6);
if (h == NULL && !initializing)
h = getsname(a);
! if (h != NULL && !isdigit((int)*h)) {
! strncpy(ep->h, h, sizeof(ep->h));
! ep->h[sizeof(ep->h)-1] = 0;
! }
ep->t = t;
return (ep);
}
problem still evident in fc28. same patch applies to arpwatch-2.1a15-42.fc28.x86_64 and fixes the issue This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Problem still evident in fc30. arpwatch-2.1a15-45.fc31.x86_64 has the same issue. This package has changed maintainer in the Fedora. Reassigning to the new maintainer of this component. I have just taken ownership of this package in Fedora after it was orphaned by the previous maintainer. I see that the new upstream version, 3.1, has increased the size of the h field to 64 bytes, as well as started using strncpy() to fill it, in an attempt to fix this issue. That seems almost consistent with the patch offered here (well, HOST_NAME_MAX+1 is 65, but as noted 63+1=64 should be enough in practice). I plan to backport a patch based on the 3.1 code in the next few days, and release it as a security update for all supported Fedora versions. After that, I will work on https://bugzilla.redhat.com/show_bug.cgi?id=1857980, packaging version 3.1. It will take a little time to review the changes and figure out which patches need to be carried forward. Thanks for reporting this, and for keeping the bug report updated. FEDORA-2020-8e115f0c7a has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8e115f0c7a FEDORA-2020-9c2f330b5a has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-9c2f330b5a FEDORA-2020-193da8cf44 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-193da8cf44 Updates are in Rawhide, and are on their way to testing for all supported Fedora releases. I did not take time to reproduce the bug in my own environment, so testing of the update by someone who is currently seeing this bug would be appreciated. FEDORA-2020-8e115f0c7a has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8e115f0c7a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8e115f0c7a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-9c2f330b5a has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-9c2f330b5a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-9c2f330b5a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-193da8cf44 has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-193da8cf44` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-193da8cf44 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. This message is a reminder that Fedora 31 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '31'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 31 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. FEDORA-2020-8e115f0c7a has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-9c2f330b5a has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-193da8cf44 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report. |