Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 161172

Summary: /usr/lib/amanda/chg-scsi causes buffer overflow
Product: [Fedora] Fedora Reporter: Burn Alting <burn>
Component: amandaAssignee: Radek Brich <rbrich>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: stephen.walton
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-06 04:29:51 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Burn Alting 2005-06-20 20:45:56 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
When executing chg-scsi, a buffer overflow occurs when opening a scsi device. The problem is in changer-src/scsi-changer-driver.c:OpenDevice().

A temporary variable, tmpstr is declared with just 15 bytes, and is first used in
      sprintf(&tmpstr[0],"%s_%s","generic",pDev[0].type);
If the string 'pDev[0].type' is greater than 15 - 8 - 1 = 6 characters, and in my execution of chg-scsi it is the string 'changer', we get a buffer overflow.

Suggest increasing the size of the variable as a temporary measure.

Version-Release number of selected component (if applicable):
amanda-2.4.5-2

How reproducible:
Always

Steps to Reproduce:
1. Configure amanda to usr chg-scsi
2. run /usr/lib/amanda/cgh-scsi -info
3.
  

Actual Results:  # /usr/lib/amanda/chg-scsi -info
*** buffer overflow detected ***: /usr/lib/amanda/chg-scsi terminated
======= Backtrace: =========
...

Expected Results:  No buffer overflow

Additional info:
Comment 1 Stephen Walton 2005-11-05 13:21:07 EST
I have the same problem as the reporter but am not certain the diagnosis is
correct.  I just installed FC4 on a system which was previously running FC1, and
decided to try the Fedora amanda RPMS.  But, I have a copy of Amanda 2.4.4p3
which I compiled myself on FC1.  The source I used to build contains the same
declaration of tmpstr, and yet the unmodified chg-scsi executable from that FC1
build works fine on FC4.
Comment 2 Arjan van de Ven 2005-11-07 04:16:05 EST
FC4 has more extensive buffer overflow checks than FC1; these get put in by the
compiler so binaries compiled on FC1 just silently overflow the buffer while
binaries built on FC4 detect this bug.
Comment 3 Christian Iseli 2007-01-22 05:11:01 EST
This report targets the FC3 or FC4 products, which have now been EOL'd.

Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?

Thanks.
Comment 4 Burn Alting 2007-02-20 01:08:08 EST
Bug still present in FC6 as it's using amanda 2.5.0. The bug has been fixed in a
later release of amanda - it's certainaly fixed in amanda-2.5.1p3
Comment 5 Radek Brich 2008-03-06 04:29:51 EST
FC6 is EOL, closing as WONTFIX
although the fix is in dist CVS, the rpm can't get into repo now...